npm - dependencyiq - Versions diffs - 2.1.0 → 2.2.0 - Mend

dependencyiq 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +1 -1
package/src/agent.js +2 -2
package/src/blastRadius.js +8 -2
package/src/scanners/dependencyTreeBuilder.js +39 -1
package/src/scanners/ecosystemFixers.js +36 -4
package/src/strategyGenerator.js +13 -8

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "dependencyiq",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Multi-language dependency vulnerability agent: OSV-Scanner + GitLab Orbit blast-radius analysis + automated MRs",
   "main": "src/agent.js",
   "bin": {

package/src/agent.js CHANGED Viewed

@@ -72,7 +72,7 @@ async function analyzeRepository(repoPath, projectId, options = {}) {
     console.log('\n📊 Analyzing blast radius with GitLab Orbit...');
     for (const vuln of vulnerabilities) {
-      const exposure = await analyzeExposure(projectId, vuln.package, pathHints, vuln.ecosystem);
+      const exposure = await analyzeExposure(projectId, vuln.package, vuln.ecosystem, pathHints);
       vuln.riskScore = calculateRiskScore(vuln, {
         affectedFilesCount: exposure.affectedFilesCount,
@@ -86,7 +86,7 @@ async function analyzeRepository(repoPath, projectId, options = {}) {
       vuln.affectedFiles = exposure.affectedFiles;
       vuln.exposure = exposure;
       vuln.recommendation = vuln.riskScore.recommendation;
-      vuln.dependencyChain = resolveDependencyChain(repoPath, vuln.ecosystem, vuln.package);
+      vuln.dependencyChain = resolveDependencyChain(repoPath, vuln.ecosystem, vuln.package, vuln.currentVersion);
     }
     console.log('\n🎯 Ranking by actual risk...');

package/src/blastRadius.js CHANGED Viewed

@@ -7,6 +7,7 @@
  */
 const orbitClient = require('./orbitClient');
+const { hasAnyToken } = require('./gitlabAuth');
 // Built-in heuristic defaults, used when AGENTS.md doesn't specify
 // public_api_paths / test_paths. A project with a non-standard layout
@@ -39,7 +40,12 @@ let orbitReachable = null; // cached per-process: null = unknown, true/false onc
 async function isOrbitReachable() {
   if (orbitReachable !== null) return orbitReachable;
-  if (!process.env.GITLAB_TOKEN) {
+  // CI_JOB_TOKEN (auto-present in every CI job) is sufficient for this
+  // same-project read call — see gitlabAuth.js's getAuthHeaders, which
+  // already falls back to it. Requiring GITLAB_TOKEN specifically here
+  // reported Orbit as unavailable in every normal CI/Flow run that never
+  // set that CI/CD variable, even when Orbit was actually healthy.
+  if (!hasAnyToken()) {
     orbitReachable = false;
     return false;
   }
@@ -99,7 +105,7 @@ const ECOSYSTEM_LANGUAGE = {
   Packagist: 'php',
 };
-async function analyzeExposure(projectId, packageName, hints = {}, ecosystem) {
+async function analyzeExposure(projectId, packageName, ecosystem, hints = {}) {
   if (projectId && await isOrbitReachable()) {
     try {
       const files = await orbitClient.findPackageImporters(projectId, packageName);

package/src/scanners/dependencyTreeBuilder.js CHANGED Viewed

@@ -160,15 +160,45 @@ function buildPoetryGraph(repoPath) {
   return { directDeps, lookup };
 }
+/**
+ * The hoisted top-level lockfile entry only ever records ONE resolved
+ * version of `packageName`. When OSV flags a version that doesn't match
+ * that top-level entry, the vulnerable copy is a separate nested
+ * duplicate the hoisted lookup never sees (see module docstring) — find
+ * it by scanning every `node_modules/.../node_modules/<packageName>`
+ * path for one whose `version` matches, and return its immediate parent
+ * package name so the caller can scope an `overrides` entry to that
+ * subtree instead of the (already-safe) top-level package.
+ * @returns {string|null} immediate parent package name, or null if no
+ *   nested duplicate at that exact version was found
+ */
+function findNestedDuplicateParent(lockfile, packageName, vulnerableVersion) {
+  if (!lockfile?.packages || !vulnerableVersion) return null;
+  const suffix = `/node_modules/${packageName}`;
+  for (const [pkgPath, entry] of Object.entries(lockfile.packages)) {
+    const isNestedDuplicate = pkgPath !== `node_modules/${packageName}` && pkgPath.endsWith(suffix);
+    if (isNestedDuplicate && entry.version === vulnerableVersion) {
+      const parentPath = pkgPath.slice(0, -suffix.length);
+      const lastSegment = parentPath.split('node_modules/').pop();
+      if (lastSegment) return lastSegment;
+    }
+  }
+  return null;
+}
 /**
  * @param {string} repoPath
  * @param {string} ecosystem
  * @param {string} packageName
+ * @param {string} [vulnerableVersion] - the specific version OSV flagged;
+ *   when it disagrees with the top-level hoisted resolution, this looks
+ *   for a nested duplicate at that version instead of trusting the
+ *   "direct dependency" name match (see findNestedDuplicateParent)
  * @returns {Object} { available, isDirect, chain } — chain is null when
  *   not determinable (unsupported ecosystem, no lockfile, or not found
  *   within the BFS depth limit)
  */
-function resolveDependencyChain(repoPath, ecosystem, packageName) {
+function resolveDependencyChain(repoPath, ecosystem, packageName, vulnerableVersion) {
   if (ecosystem === 'npm') {
     const lockfile = loadNpmLockfile(repoPath);
     if (!lockfile) {
@@ -179,6 +209,13 @@ function resolveDependencyChain(repoPath, ecosystem, packageName) {
       return { available: false, isDirect: null, chain: null, reason: 'Unsupported or malformed lockfile format' };
     }
     if (graph.directDeps.includes(packageName)) {
+      const topLevelEntry = lockfile.packages[`node_modules/${packageName}`];
+      if (vulnerableVersion && topLevelEntry && topLevelEntry.version !== vulnerableVersion) {
+        const parent = findNestedDuplicateParent(lockfile, packageName, vulnerableVersion);
+        if (parent) {
+          return { available: true, isDirect: false, chain: [parent, packageName], nestedDuplicateOfDirectDep: true };
+        }
+      }
       return { available: true, isDirect: true, chain: [packageName] };
     }
     return { available: true, isDirect: false, chain: findShortestChain(graph, packageName) };
@@ -220,6 +257,7 @@ module.exports = {
   resolveDependencyChain,
   buildNpmGraph,
   findShortestChain,
+  findNestedDuplicateParent,
   getLockfileEntry,
   normalizePyPiName,
   loadPoetryDirectDeps,

package/src/scanners/ecosystemFixers.js CHANGED Viewed

@@ -55,10 +55,41 @@ function transformNpmContent(content, packageName, fixedVersion) {
  * still pick a parent-compatible version, just never one below the
  * patched floor.
  */
-function addNpmOverrideContent(content, packageName, floorVersion) {
+function addNpmOverrideContent(content, packageName, floorVersion, parentPackage) {
   const pkg = JSON.parse(content);
   pkg.overrides = pkg.overrides || {};
   const constraint = `>=${floorVersion}`;
+  const isAlsoDirectDep = ['dependencies', 'devDependencies', 'optionalDependencies']
+    .some((section) => pkg[section]?.[packageName]);
+  // A flat top-level override (`overrides: { js-yaml: ">=x" }`) collides
+  // with npm's own resolution of a same-named DIRECT dependency — npm
+  // rejects that combination at install time with EOVERRIDE ("conflicts
+  // with direct dependency"), even when the constraint is compatible.
+  // When the flagged vulnerable copy is nested under a known parent
+  // (the common case: a transitive dev-tool dependency shadows a
+  // package you also depend on directly at a safe version), scope the
+  // override to that parent instead — it only affects that subtree and
+  // never touches the direct dependency's own resolution.
+  if (isAlsoDirectDep && !parentPackage) {
+    return { touched: false, warning: `${packageName} is already a direct dependency, and the vulnerable copy's parent package is unknown — a flat "overrides" entry would conflict with npm's EOVERRIDE check; resolve the dependency chain first or add a scoped override (overrides: { "<parent>": { "${packageName}": "${constraint}" } }) manually` };
+  }
+  if (parentPackage) {
+    pkg.overrides[parentPackage] = pkg.overrides[parentPackage] || {};
+    if (pkg.overrides[parentPackage][packageName] === constraint) {
+      return { touched: false, warning: `package.json already overrides ${packageName} to ${constraint} under ${parentPackage}` };
+    }
+    pkg.overrides[parentPackage][packageName] = constraint;
+    return {
+      touched: true,
+      action: 'override',
+      content: JSON.stringify(pkg, null, 2) + '\n',
+      followUp: 'npm install (regenerates package-lock.json with the override applied)',
+      warning: `Forced ${packageName} to ${constraint} within ${parentPackage}'s dependency subtree via package.json "overrides" — verify the resolved tree with "npm ls ${packageName}" after install`,
+    };
+  }
   if (pkg.overrides[packageName] === constraint) {
     return { touched: false, warning: `package.json already overrides ${packageName} to ${constraint}` };
   }
@@ -251,10 +282,10 @@ function bumpNpm(repoPath, manifestRelPath, packageName, fixedVersion) {
   return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', transformNpmContent(content, packageName, fixedVersion));
 }
-function overrideNpm(repoPath, manifestRelPath, packageName, floorVersion) {
+function overrideNpm(repoPath, manifestRelPath, packageName, floorVersion, parentPackage) {
   const content = readManifest(repoPath, manifestRelPath, 'package.json');
   if (content === null) return { applied: false, warning: 'package.json not found' };
-  return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', addNpmOverrideContent(content, packageName, floorVersion));
+  return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', addNpmOverrideContent(content, packageName, floorVersion, parentPackage));
 }
 function bumpPython(repoPath, manifestRelPath, packageName, fixedVersion) {
@@ -330,7 +361,8 @@ function applyFix(repoPath, vulnerability) {
   const chain = vulnerability.dependencyChain;
   if (vulnerability.ecosystem === 'npm' && chain?.available && chain.isDirect === false) {
     const floor = vulnerability.osvFloorVersion || vulnerability.fixedVersion;
-    return overrideNpm(repoPath, vulnerability.manifestFile, vulnerability.package, floor);
+    const parent = chain.chain?.length >= 2 ? chain.chain[chain.chain.length - 2] : undefined;
+    return overrideNpm(repoPath, vulnerability.manifestFile, vulnerability.package, floor, parent);
   }
   const fixers = { npm: bumpNpm, PyPI: bumpPython, Go: bumpGo, Maven: bumpMaven };

package/src/strategyGenerator.js CHANGED Viewed

@@ -16,6 +16,11 @@ function generateRefactoringAnalysis(vulnerability, codeContext = {}) {
     usageExamples: [],
     ...codeContext
   };
+  const orbitChecked = vulnerability.riskScore?.exposureDataSource === 'orbit'
+    || vulnerability.exposure?.source === 'orbit';
+  const noFilesNote = orbitChecked
+    ? '  - GitLab Orbit confirmed no importers of this package in this project'
+    : '  - Orbit exposure data unavailable for this project — file list unknown';
   return `
 # Refactoring Analysis: ${vulnerability.package}
@@ -28,14 +33,14 @@ function generateRefactoringAnalysis(vulnerability, codeContext = {}) {
 - **Issue**: ${vulnerability.vulnerability}
 ## Code Impact
-- **Files affected**: ${context.affectedFiles?.length || 1}
-${context.affectedFiles?.map(f => `  - ${f.path || f}`).join('\n') || '  - no Orbit exposure data available'}
+- **Files affected**: ${context.affectedFiles?.length || 0}
+${context.affectedFiles?.length ? context.affectedFiles.map(f => `  - ${f.path || f}`).join('\n') : noFilesNote}
+${context.usageExamples?.[0] ? `
 ## Usage Example
 \`\`\`javascript
-${context.usageExamples?.[0] || 'const merged = _.merge({}, defaults, userInput);'}
+${context.usageExamples[0]}
 \`\`\`
+` : ''}
 ## Task for GitLab Duo Chat
 Generate **3 upgrade strategies** ranked by safety vs speed:
@@ -155,8 +160,8 @@ ${vulnerabilities.slice(0, 3).map((v, i) => `
 - **Risk Score**: ${v.riskScore?.score}/100 (${v.riskScore?.priority})
 - **Issue**: ${v.vulnerability}
 - **Severity**: ${v.severity} (CVSS ${v.cvss})
-- **Files Affected**: ${v.affectedFiles?.length || 1}
-${v.affectedFiles?.slice(0, 2).map(f => `  - ${f.path || f}`).join('\n') || '  - internal usage'}
+- **Files Affected**: ${v.affectedFiles?.length || 0}
+${v.affectedFiles?.length ? v.affectedFiles.slice(0, 2).map(f => `  - ${f.path || f}`).join('\n') : (v.riskScore?.exposureDataSource === 'orbit' ? '  - GitLab Orbit confirmed no importers' : '  - Orbit exposure data unavailable')}
 `).join('\n')}
 ## Recommendation
@@ -199,7 +204,7 @@ ${icon} **${index}. ${vuln.package} → ${vuln.fixedVersion}**
 | **Issue** | ${vuln.vulnerability} |
 | **Severity** | ${vuln.severity} (CVSS ${vuln.cvss}) |
 | **Your Risk Score** | ${vuln.riskScore?.score || '?'}/100 (${vuln.riskScore?.priority}) |
-| **Files Affected** | ${vuln.affectedFiles?.length || 1} |
+| **Files Affected** | ${vuln.affectedFiles?.length || 0} |
 | **Exposed to API?** | ${vuln.riskScore?.isInPublicAPI ? '✅ Yes' : '❌ No'} |
 | **Effort to Fix** | ${vuln.riskScore?.effortMinutes ? Math.ceil(vuln.riskScore.effortMinutes / 60) + 'h' : '?'} |
 `;