Merge pull request #291 from snyk/fix/npm-lock-v2-workspace-dependency-resolution

JamesPatrickGill · web-flow · commit 6daf50ae1b63 · 2025-10-28T16:11:27.000Z
fix: resolve workspace package dependencies in npm lock v2 parser
diff --git a/lib/dep-graph-builders/npm-lock-v2/index.ts b/lib/dep-graph-builders/npm-lock-v2/index.ts
@@ -490,6 +490,14 @@ export const getChildNodeKey = (
       if (pkgs[fullPath]) {
         return pkgs[fullPath].name || segment;
       }
+
+      // For workspace packages, the path might not have node_modules/ prefix
+      // Check if this segment (or joined path) exists as a workspace package
+      const workspacePath = pathSegments.join('/node_modules/');
+      if (pkgs[workspacePath]) {
+        return pkgs[workspacePath].name || segment;
+      }
+
       return segment;
     });
 
diff --git a/test/jest/dep-graph-builders/fixtures/npm-lock-v2/workspace-nested-deps/expected.json b/test/jest/dep-graph-builders/fixtures/npm-lock-v2/workspace-nested-deps/expected.json
@@ -0,0 +1,67 @@
+{
+  "schemaVersion": "1.3.0",
+  "pkgManager": {
+    "name": "npm"
+  },
+  "pkgs": [
+    {
+      "id": "root-workspace@1.0.0",
+      "info": {
+        "name": "root-workspace",
+        "version": "1.0.0"
+      }
+    },
+    {
+      "id": "@test/workspace-pkg@1.0.0",
+      "info": {
+        "name": "@test/workspace-pkg",
+        "version": "1.0.0"
+      }
+    },
+    {
+      "id": "lodash@4.17.21",
+      "info": {
+        "name": "lodash",
+        "version": "4.17.21"
+      }
+    }
+  ],
+  "graph": {
+    "rootNodeId": "root-node",
+    "nodes": [
+      {
+        "nodeId": "root-node",
+        "pkgId": "root-workspace@1.0.0",
+        "deps": [
+          {
+            "nodeId": "@test/workspace-pkg@1.0.0"
+          }
+        ]
+      },
+      {
+        "nodeId": "@test/workspace-pkg@1.0.0",
+        "pkgId": "@test/workspace-pkg@1.0.0",
+        "deps": [
+          {
+            "nodeId": "lodash@4.17.21"
+          }
+        ],
+        "info": {
+          "labels": {
+            "scope": "prod"
+          }
+        }
+      },
+      {
+        "nodeId": "lodash@4.17.21",
+        "pkgId": "lodash@4.17.21",
+        "deps": [],
+        "info": {
+          "labels": {
+            "scope": "prod"
+          }
+        }
+      }
+    ]
+  }
+}
diff --git a/test/jest/dep-graph-builders/fixtures/npm-lock-v2/workspace-nested-deps/package-lock.json b/test/jest/dep-graph-builders/fixtures/npm-lock-v2/workspace-nested-deps/package-lock.json
diff --git a/test/jest/dep-graph-builders/fixtures/npm-lock-v2/workspace-nested-deps/package.json b/test/jest/dep-graph-builders/fixtures/npm-lock-v2/workspace-nested-deps/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "root-workspace",
+  "version": "1.0.0",
+  "workspaces": [
+    "packages/*"
+  ],
+  "dependencies": {
+    "@test/workspace-pkg": "file:packages/workspace-pkg"
+  },
+  "devDependencies": {}
+}
diff --git a/test/jest/dep-graph-builders/npm-lock-v2.test.ts b/test/jest/dep-graph-builders/npm-lock-v2.test.ts
@@ -24,6 +24,7 @@ describe('dep-graph-builder npm-lock-v2', () => {
         'dist-tag-sub-dependency',
         'bundled-top-level-dep',
         'missing-optional-dep-minimal',
+        'workspace-nested-deps',
       ])('[simple tests] project: %s ', (fixtureName) => {
         it('matches expected', async () => {
           const pkgJsonContent = readFileSync(
