dependencyiq 2.0.0 → 2.2.0

package/src/httpRetry.js

@@ -1,48 +1,48 @@
-/**
- * Shared retry/backoff helper for the HTTP calls this project makes to
- * GitLab Orbit and package registries (npm, PyPI, Go proxy, Maven
- * Central). A flaky network hiccup during a live demo or a CI run
- * shouldn't read as "Orbit unavailable" / "registry lookup failed" when
- * a second attempt would have succeeded — but a real rejection (a 404 for
- * "this package doesn't exist," a 400 for a malformed query) must never
- * be retried, since retrying a deterministic rejection just wastes time
- * and risks masking a real bug as a transient one.
- *
- * Transient = no HTTP response at all (DNS failure, connection reset,
- * timeout) or a 5xx from the server. Anything else (4xx, or a 2xx that
- * the caller itself decides is wrong) is final on the first attempt.
- */
-
-function isTransientError(error) {
-  const transientCodes = new Set(['ECONNABORTED', 'ETIMEDOUT', 'ECONNRESET', 'ENOTFOUND', 'EAI_AGAIN']);
-  if (error.code && transientCodes.has(error.code)) return true;
-  const status = error.response?.status;
-  // No response at all (network-level failure axios didn't tag with a
-  // known code) is treated the same as a 5xx: worth one retry.
-  return status === undefined || status >= 500;
-}
-
-/**
- * @param {() => Promise<any>} fn - the call to attempt
- * @param {Object} [options]
- * @param {number} [options.retries=2] - additional attempts after the first
- * @param {number} [options.baseDelayMs=300] - delay before the first retry; doubles each subsequent attempt
- * @returns {Promise<any>}
- */
-async function withRetry(fn, { retries = 2, baseDelayMs = 300 } = {}) {
-  let lastError;
-  for (let attempt = 0; attempt <= retries; attempt += 1) {
-    try {
-      return await fn();
-    } catch (error) {
-      lastError = error;
-      const isFinalAttempt = attempt === retries;
-      if (isFinalAttempt || !isTransientError(error)) throw error;
-      const delayMs = baseDelayMs * 2 ** attempt;
-      await new Promise(resolve => { setTimeout(resolve, delayMs); });
-    }
-  }
-  throw lastError;
-}
-
-module.exports = { withRetry, isTransientError };
+/**
+ * Shared retry/backoff helper for the HTTP calls this project makes to
+ * GitLab Orbit and package registries (npm, PyPI, Go proxy, Maven
+ * Central). A flaky network hiccup during a live demo or a CI run
+ * shouldn't read as "Orbit unavailable" / "registry lookup failed" when
+ * a second attempt would have succeeded — but a real rejection (a 404 for
+ * "this package doesn't exist," a 400 for a malformed query) must never
+ * be retried, since retrying a deterministic rejection just wastes time
+ * and risks masking a real bug as a transient one.
+ *
+ * Transient = no HTTP response at all (DNS failure, connection reset,
+ * timeout) or a 5xx from the server. Anything else (4xx, or a 2xx that
+ * the caller itself decides is wrong) is final on the first attempt.
+ */
+
+function isTransientError(error) {
+  const transientCodes = new Set(['ECONNABORTED', 'ETIMEDOUT', 'ECONNRESET', 'ENOTFOUND', 'EAI_AGAIN']);
+  if (error.code && transientCodes.has(error.code)) return true;
+  const status = error.response?.status;
+  // No response at all (network-level failure axios didn't tag with a
+  // known code) is treated the same as a 5xx: worth one retry.
+  return status === undefined || status >= 500;
+}
+
+/**
+ * @param {() => Promise<any>} fn - the call to attempt
+ * @param {Object} [options]
+ * @param {number} [options.retries=2] - additional attempts after the first
+ * @param {number} [options.baseDelayMs=300] - delay before the first retry; doubles each subsequent attempt
+ * @returns {Promise<any>}
+ */
+async function withRetry(fn, { retries = 2, baseDelayMs = 300 } = {}) {
+  let lastError;
+  for (let attempt = 0; attempt <= retries; attempt += 1) {
+    try {
+      return await fn();
+    } catch (error) {
+      lastError = error;
+      const isFinalAttempt = attempt === retries;
+      if (isFinalAttempt || !isTransientError(error)) throw error;
+      const delayMs = baseDelayMs * 2 ** attempt;
+      await new Promise(resolve => { setTimeout(resolve, delayMs); });
+    }
+  }
+  throw lastError;
+}
+
+module.exports = { withRetry, isTransientError };

package/src/orbitClient.js

@@ -204,6 +204,45 @@ async function findProjectsImportingPackage(groupId, packageName) {
   return Array.from(byProject.values());
 }
 
+/**
+ * Does Orbit have indexed source for this project in the given language?
+ * Orbit indexes the DEFAULT branch only. A project whose default branch is,
+ * say, JavaScript will have File nodes — but scanning that project's Python
+ * feature branch must NOT be treated as "indexed", or a zero-importer Python
+ * package looks falsely "unused". So we ask specifically: does Orbit have any
+ * File of `language` for this project? If `language` is omitted we fall back
+ * to "any File at all". Returns false on any query error — the safe
+ * direction, since this only ever suppresses a removal recommendation, never
+ * invents one.
+ */
+async function isProjectIndexed(projectId, language) {
+  try {
+    const fileToProjectEdges = await relationshipCandidates('File', 'Project', FILE_TO_PROJECT_EDGE_CANDIDATES);
+    const result = await queryWithRelationshipFallback(
+      (fileToProjectEdge) => ({
+        query_type: 'traversal',
+        nodes: [
+          { id: 'p', entity: 'Project', node_ids: [Number(projectId)] },
+          {
+            id: 'f',
+            entity: 'File',
+            columns: ['path', 'language'],
+            ...(language ? { filters: { language: { contains: language } } } : {}),
+          },
+        ],
+        relationships: [
+          { type: fileToProjectEdge, from: 'f', to: 'p' },
+        ],
+        limit: 1,
+      }),
+      [fileToProjectEdges]
+    );
+    return (result.result || []).length > 0;
+  } catch {
+    return false;
+  }
+}
+
 module.exports = {
   getStatus,
   getSchema,
@@ -211,4 +250,5 @@ module.exports = {
   query,
   findPackageImporters,
   findProjectsImportingPackage,
+  isProjectIndexed,
 };

package/src/scanners/dependencyTreeBuilder.js

@@ -160,15 +160,45 @@ function buildPoetryGraph(repoPath) {
   return { directDeps, lookup };
 }
 
+/**
+ * The hoisted top-level lockfile entry only ever records ONE resolved
+ * version of `packageName`. When OSV flags a version that doesn't match
+ * that top-level entry, the vulnerable copy is a separate nested
+ * duplicate the hoisted lookup never sees (see module docstring) — find
+ * it by scanning every `node_modules/.../node_modules/<packageName>`
+ * path for one whose `version` matches, and return its immediate parent
+ * package name so the caller can scope an `overrides` entry to that
+ * subtree instead of the (already-safe) top-level package.
+ * @returns {string|null} immediate parent package name, or null if no
+ *   nested duplicate at that exact version was found
+ */
+function findNestedDuplicateParent(lockfile, packageName, vulnerableVersion) {
+  if (!lockfile?.packages || !vulnerableVersion) return null;
+  const suffix = `/node_modules/${packageName}`;
+  for (const [pkgPath, entry] of Object.entries(lockfile.packages)) {
+    const isNestedDuplicate = pkgPath !== `node_modules/${packageName}` && pkgPath.endsWith(suffix);
+    if (isNestedDuplicate && entry.version === vulnerableVersion) {
+      const parentPath = pkgPath.slice(0, -suffix.length);
+      const lastSegment = parentPath.split('node_modules/').pop();
+      if (lastSegment) return lastSegment;
+    }
+  }
+  return null;
+}
+
 /**
  * @param {string} repoPath
  * @param {string} ecosystem
  * @param {string} packageName
+ * @param {string} [vulnerableVersion] - the specific version OSV flagged;
+ *   when it disagrees with the top-level hoisted resolution, this looks
+ *   for a nested duplicate at that version instead of trusting the
+ *   "direct dependency" name match (see findNestedDuplicateParent)
  * @returns {Object} { available, isDirect, chain } — chain is null when
  *   not determinable (unsupported ecosystem, no lockfile, or not found
  *   within the BFS depth limit)
  */
-function resolveDependencyChain(repoPath, ecosystem, packageName) {
+function resolveDependencyChain(repoPath, ecosystem, packageName, vulnerableVersion) {
   if (ecosystem === 'npm') {
     const lockfile = loadNpmLockfile(repoPath);
     if (!lockfile) {
@@ -179,6 +209,13 @@ function resolveDependencyChain(repoPath, ecosystem, packageName) {
       return { available: false, isDirect: null, chain: null, reason: 'Unsupported or malformed lockfile format' };
     }
     if (graph.directDeps.includes(packageName)) {
+      const topLevelEntry = lockfile.packages[`node_modules/${packageName}`];
+      if (vulnerableVersion && topLevelEntry && topLevelEntry.version !== vulnerableVersion) {
+        const parent = findNestedDuplicateParent(lockfile, packageName, vulnerableVersion);
+        if (parent) {
+          return { available: true, isDirect: false, chain: [parent, packageName], nestedDuplicateOfDirectDep: true };
+        }
+      }
       return { available: true, isDirect: true, chain: [packageName] };
     }
     return { available: true, isDirect: false, chain: findShortestChain(graph, packageName) };
@@ -220,6 +257,7 @@ module.exports = {
   resolveDependencyChain,
   buildNpmGraph,
   findShortestChain,
+  findNestedDuplicateParent,
   getLockfileEntry,
   normalizePyPiName,
   loadPoetryDirectDeps,

package/src/scanners/ecosystemFixers.js

@@ -55,10 +55,41 @@ function transformNpmContent(content, packageName, fixedVersion) {
  * still pick a parent-compatible version, just never one below the
  * patched floor.
  */
-function addNpmOverrideContent(content, packageName, floorVersion) {
+function addNpmOverrideContent(content, packageName, floorVersion, parentPackage) {
   const pkg = JSON.parse(content);
   pkg.overrides = pkg.overrides || {};
   const constraint = `>=${floorVersion}`;
+  const isAlsoDirectDep = ['dependencies', 'devDependencies', 'optionalDependencies']
+    .some((section) => pkg[section]?.[packageName]);
+
+  // A flat top-level override (`overrides: { js-yaml: ">=x" }`) collides
+  // with npm's own resolution of a same-named DIRECT dependency — npm
+  // rejects that combination at install time with EOVERRIDE ("conflicts
+  // with direct dependency"), even when the constraint is compatible.
+  // When the flagged vulnerable copy is nested under a known parent
+  // (the common case: a transitive dev-tool dependency shadows a
+  // package you also depend on directly at a safe version), scope the
+  // override to that parent instead — it only affects that subtree and
+  // never touches the direct dependency's own resolution.
+  if (isAlsoDirectDep && !parentPackage) {
+    return { touched: false, warning: `${packageName} is already a direct dependency, and the vulnerable copy's parent package is unknown — a flat "overrides" entry would conflict with npm's EOVERRIDE check; resolve the dependency chain first or add a scoped override (overrides: { "<parent>": { "${packageName}": "${constraint}" } }) manually` };
+  }
+
+  if (parentPackage) {
+    pkg.overrides[parentPackage] = pkg.overrides[parentPackage] || {};
+    if (pkg.overrides[parentPackage][packageName] === constraint) {
+      return { touched: false, warning: `package.json already overrides ${packageName} to ${constraint} under ${parentPackage}` };
+    }
+    pkg.overrides[parentPackage][packageName] = constraint;
+    return {
+      touched: true,
+      action: 'override',
+      content: JSON.stringify(pkg, null, 2) + '\n',
+      followUp: 'npm install (regenerates package-lock.json with the override applied)',
+      warning: `Forced ${packageName} to ${constraint} within ${parentPackage}'s dependency subtree via package.json "overrides" — verify the resolved tree with "npm ls ${packageName}" after install`,
+    };
+  }
+
   if (pkg.overrides[packageName] === constraint) {
     return { touched: false, warning: `package.json already overrides ${packageName} to ${constraint}` };
   }
@@ -251,10 +282,10 @@ function bumpNpm(repoPath, manifestRelPath, packageName, fixedVersion) {
   return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', transformNpmContent(content, packageName, fixedVersion));
 }
 
-function overrideNpm(repoPath, manifestRelPath, packageName, floorVersion) {
+function overrideNpm(repoPath, manifestRelPath, packageName, floorVersion, parentPackage) {
   const content = readManifest(repoPath, manifestRelPath, 'package.json');
   if (content === null) return { applied: false, warning: 'package.json not found' };
-  return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', addNpmOverrideContent(content, packageName, floorVersion));
+  return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', addNpmOverrideContent(content, packageName, floorVersion, parentPackage));
 }
 
 function bumpPython(repoPath, manifestRelPath, packageName, fixedVersion) {
@@ -330,7 +361,8 @@ function applyFix(repoPath, vulnerability) {
   const chain = vulnerability.dependencyChain;
   if (vulnerability.ecosystem === 'npm' && chain?.available && chain.isDirect === false) {
     const floor = vulnerability.osvFloorVersion || vulnerability.fixedVersion;
-    return overrideNpm(repoPath, vulnerability.manifestFile, vulnerability.package, floor);
+    const parent = chain.chain?.length >= 2 ? chain.chain[chain.chain.length - 2] : undefined;
+    return overrideNpm(repoPath, vulnerability.manifestFile, vulnerability.package, floor, parent);
   }
 
   const fixers = { npm: bumpNpm, PyPI: bumpPython, Go: bumpGo, Maven: bumpMaven };