Skip to content

feat(npm): treat peerDependencies as dependencies #7988

New issue
New issue
Closed
#7989
Closed
feat(npm): treat peerDependencies as dependencies#7988
#7989
Assignees
knqyf263
Labels
kind/featureCategorizes issue or PR as related to a new feature.
Milestone
v0.59.0
@knqyf263

Description

@knqyf263
knqyf263
opened on Nov 25, 2024

Description

In some cases, peer dependencies are listed in package-lock.json, and then Trivy detects the vulnerabilities for those packages, but Trivy doesn't include them in the dependency tree.

cat package.json
{
  "name": "myapp",
  "version": "1.1.1",
  "description": "try",
  "dependencies": {
    "winston-mail": "^2.0.0"
  }
}​

winston-mail has a peer dependency winston.
https://github.com/wavded/winston-mail/blob/19e80d757996a305739536de66ecf3a939360cc4/package.json#L29-L31

npm v3-v6 (tested with v6.14.18)

  • npm install doesn't install peer dependencies
  • npm install doesn't record peer dependencies in package-lock.json
  • npm list --all doesn't show the details of peer dependencies in the tree if they are not found.
  • npm list --all shows peer dependencies separately in the tree if they are found locally.

WHen winston is not found

$ npm --version
6.14.18
$ npm install
/node_v3_with_peer # npm list --all
[email protected] /node_v3_with_peer
+-- UNMET PEER DEPENDENCY winston@>=0.5.0
`-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  |   +-- [email protected]
  |   +-- [email protected]
  |   `-- [email protected]
  `-- [email protected]

When winston is found

$ npm install winston // manually install
$ npm list --all
[email protected] /app
+-- [email protected]
| +-- @colors/[email protected]
...(deducted)...
`-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  |   +-- [email protected]
  |   +-- [email protected]
  |   `-- [email protected]
  `-- [email protected]

winston is displayed next to winston-mail, not under winston-mail.

npm v7+ (tested with v10.9.1) and v1-3(?)

  • npm install installs peer dependencies
  • npm install records peer dependencies in package-lock.json
  • npm list --all shows peer dependencies under the parent in the tree
[email protected] /app
`-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  |   +-- [email protected]
  |   +-- [email protected]
  |   `-- [email protected]
  +-- [email protected]
  `-- [email protected]

winston is displayed under winston-mail.

Yarn (tested with v1.2.22)

  • yarn install doesn't install peer dependencies
  • yarn install doesn't record peer dependencies in package-lock.json
  • yarn list --all doesn't show peer dependencies in the tree
$ yarn list --all
yarn list v1.22.19
Done in 0.17s.

They all work differently.

Ideas

There are two ideas:

  1. Always exclude peer dependencies
  2. Follow the package manager's implementations

Suggestion

Peer dependencies are not strictly project-dependent packages. Therefore, peer dependencies are not installed in npm v6 and are shown separately in the dependency tree, I guess. However, in newer npm versions (v7+), peer dependencies are installed and displayed in the tree like normal dependencies. If Trivy does not show peer dependencies, we expect to receive inquiries from users. To avoid confusion, we would like to opt for the second approach.

If peer dependencies are recorded in the lock file, treat them as normal dependencies, like npm v7+, even though it's not technically accurate.

References

https://nodejs.org/en/blog/npm/peer-dependencies

Metadata

Metadata

Assignees

Labels

kind/featureCategorizes issue or PR as related to a new feature.

Type

No type

Projects

Trivy Roadmap

Status

No status

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions