Dependency Scanning scans both package-lock.json and yarn.lock
Summary
If a directory contains a package-lock.json
and a yarn.lock
, Dependency Scanning will scan both files, generating redundant and possibly inconsistent results. It should prefer one file over the other, and report a warning. The dependency list also contains dependencies from the two competing lock files.
npm support and yarn support are both implemented in the Gemnasium analyzer.
Generally speaking, Dependency Scanning should scan only one lock file per package type (like npm) and directory.
See https://stackoverflow.com/questions/44552348/should-i-commit-yarn-lock-and-package-lock-json-files for an interesting discussion about this issue.
Steps to reproduce
Create a project with a package-lock.json
and yarn.lock
, and configure Dependency Scanning in the CI configuration file.
Example Project
https://gitlab.com/gitlab-org/security-products/tests/js-npm/pipelines/110982412
What is the current bug behavior?
It scans the two lock files.
What is the expected correct behavior?
It should scan only one lock file (from yarn?), and report a warning about the second one being ignored.
Possible fixes
Make gemnasium iterate over a list of lock files when walking through the project directory, and stop as soon as it find one supported lock file that is not explicitly excluded using DS_EXCLUDED_PATHS
.