Correctly handle bundled npm dependencies
What does this MR do and why?
This MR fixes an edge case where valid package-lock.json files omit certain
packages because they're bundled in a packages tarball. These dependencies are
vendored, and as a result they're not included in the lock file (there's no point
in having them there since they're "locked" by definition of being vendored).
The analyzer used to fail in such scenarios, but it now creates a dependency between
the parent package, and a version-less child package (we can't infer the version
without downloading the entire package tarball). No other changes were made, and
the order of dependency resolution is otherwise still the same for npm.
Related issues
Fixes gitlab-org/gitlab#569753 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
before
[FATA] [dependency-scanning] [2025-09-11T16:26:24Z] [/go/src/app/cmd/dependency-scanning/main.go:58] ▶ parsing file package-lock.json: malformed dependency graph when searching for dependency @napi-rs/wasm-runtime of package node_modules/@tailwindcss/oxide-wasm32-wasi[INFO] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/cmd/dependency-scanning/main.go:46] ▶ Starting GitLab dependency-scanning version not-configured (00000000)
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:56] ▶ Inspect directory: .
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/fevent/fevent.go:86] ▶ Sending "package-lock.json" to "npm_bd6fb8c4" subscriber on interest "package-lock.json"
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/fevent/fevent.go:86] ▶ Sending "package.json" to "npm_bd6fb8c4" subscriber on interest "package.json"
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/fevent/fevent.go:86] ▶ Sending "package.json" to "pnpm_cfd1620c" subscriber on interest "package.json"
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/fevent/fevent.go:86] ▶ Sending "package.json" to "yarn_a767466e" subscriber on interest "package.json"
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/scanner/scanner.go:162] ▶ parseable file found /Users/hacks4oats/Downloads/package-lock.json
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/scanner/scanner.go:83] ▶ skip project: no scannable file found in .
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/scanner/scanner.go:83] ▶ skip project: no scannable file found in .
[INFO] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/cyclonedx/convert.go:88] ▶ generated SBOM /Users/hacks4oats/Downloads/gl-sbom-npm-npm.cdx.json for lock file package-lock.json
[DEBU] [dependency-scanning] [2025-09-15T17:50:34-04:00] [/Users/hacks4oats/code/dependency-scanning/cmd/dependency-scanning/main.go:227] ▶ Vulnerability Scanning is disabled (DS_ENABLE_VULNERABILITY_SCAN), skippingHow to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
You can use the steps in the related issue to create a lock file for testing, then run the analyzer locally on the lock file.