Merge pull request #286 from snyk/fix/handle-npm-aliases-in-overrides-field

fix: handle npm aliases in overrides field

Author: james-snyk

lib/aliasesPreprocessors/pkgJson.ts

@@ -1,6 +1,46 @@
-import { PackageJsonBase } from '../dep-graph-builders/types';
+import { Overrides, PackageJsonBase } from '../dep-graph-builders/types';
 import { parsePkgJson } from '../dep-graph-builders/util';
 
+/**
+ * Parses a npm alias string (e.g., "npm:[email protected]") and returns the package name and version
+ */
+export const parseNpmAlias = (
+  aliasString: string,
+): { packageName: string; version: string } | null => {
+  if (!aliasString.startsWith('npm:')) {
+    return null;
+  }
+  const lastAtIndex = aliasString.lastIndexOf('@');
+  if (lastAtIndex <= 4) {
+    // Invalid format: must have content after 'npm:' and before '@'
+    return null;
+  }
+  return {
+    packageName: aliasString.substring(4, lastAtIndex),
+    version: aliasString.substring(lastAtIndex + 1),
+  };
+};
+
+/**
+ * Adds an alias entry to the package.json aliases field
+ */
+const addAlias = (
+  pkgJson: PackageJsonBase,
+  aliasName: string,
+  targetDepName: string,
+  semver: string,
+): void => {
+  if (!pkgJson['aliases']) {
+    pkgJson['aliases'] = {};
+  }
+  pkgJson['aliases'][aliasName] = {
+    aliasName,
+    aliasTargetDepName: targetDepName,
+    semver,
+    version: null,
+  };
+};
+
 export const rewriteAliasesPkgJson = (packageJsonContent: string): string => {
   const pkgJsonPreprocessed = parsePkgJson(packageJsonContent);
   pkgJsonPreprocessed.dependencies = rewriteAliases(
@@ -19,6 +59,13 @@ export const rewriteAliasesPkgJson = (packageJsonContent: string): string => {
     pkgJsonPreprocessed,
     pkgJsonPreprocessed.peerDependencies,
   );
+  // Process overrides field to extract aliases
+  if (pkgJsonPreprocessed.overrides) {
+    rewriteAliasesInOverrides(
+      pkgJsonPreprocessed,
+      pkgJsonPreprocessed.overrides,
+    );
+  }
   return JSON.stringify(pkgJsonPreprocessed);
 };
 
@@ -32,23 +79,38 @@ export const rewriteAliases = (
   const newDependencies: Record<string, string> = {};
   for (const key in dependencies) {
     const value = dependencies[key];
-    if (value.startsWith('npm:')) {
-      if (!pkgJsonPreprocessed['aliases']) {
-        pkgJsonPreprocessed['aliases'] = {};
-      }
-      pkgJsonPreprocessed['aliases'] = {
-        ...pkgJsonPreprocessed['aliases'],
-        ...{
-          [key]: {
-            aliasName: key,
-            aliasTargetDepName: value.substring(4, value.lastIndexOf('@')),
-            semver: value.substring(value.lastIndexOf('@') + 1, value.length),
-            version: null,
-          },
-        },
-      };
+    const parsed = parseNpmAlias(value);
+    if (parsed) {
+      addAlias(pkgJsonPreprocessed, key, parsed.packageName, parsed.version);
     }
     newDependencies[key] = value;
   }
   return newDependencies;
 };
+
+/**
+ * Recursively processes the overrides object to extract aliases
+ */
+export const rewriteAliasesInOverrides = (
+  pkgJsonPreprocessed: PackageJsonBase,
+  overrides: Overrides,
+): void => {
+  if (typeof overrides === 'string') {
+    return; // String values are handled at the parent level where we have the key
+  }
+
+  // Recursive case: process each key-value pair in the overrides object
+  for (const key in overrides) {
+    const value = overrides[key];
+
+    if (typeof value === 'string') {
+      const parsed = parseNpmAlias(value);
+      if (parsed) {
+        addAlias(pkgJsonPreprocessed, key, parsed.packageName, parsed.version);
+      }
+    } else if (typeof value === 'object') {
+      // Recursively process nested overrides
+      rewriteAliasesInOverrides(pkgJsonPreprocessed, value);
+    }
+  }
+};

lib/dep-graph-builders/npm-lock-v2/index.ts

@@ -16,6 +16,7 @@ import {
 } from '../util';
 import { OutOfSyncError } from '../../errors';
 import { LockfileType } from '../../parsers';
+import { parseNpmAlias } from '../../aliasesPreprocessors/pkgJson';
 
 import * as semver from 'semver';
 import * as micromatch from 'micromatch';
@@ -224,21 +225,33 @@ const getChildNode = (
   pruneNpmStrictOutOfSync?: boolean,
 ) => {
   let version = depInfo.version;
+  let aliasInfo = depInfo.alias;
 
   const override =
     overrides &&
     checkOverrides([...ancestry, { name, version }] as Ancestry[], overrides);
 
   if (override) {
     version = override;
-  }
 
-  if (version.startsWith('npm:')) {
+    // If the override is an alias (starts with npm:), extract alias information
+    const parsed = parseNpmAlias(version);
+    if (parsed) {
+      aliasInfo = {
+        aliasName: name,
+        aliasTargetDepName: parsed.packageName,
+        semver: parsed.version,
+        version: parsed.version,
+      };
+      version = parsed.version;
+    }
+  } else if (version.startsWith('npm:')) {
+    // Handle non-override aliases
     version = version.split('@').pop() || version;
   }
 
   let childNodeKey = getChildNodeKey(
-    depInfo.alias ? depInfo.alias.aliasName : name,
+    aliasInfo ? aliasInfo.aliasName : name,
     version,
     ancestry,
     pkgs,
@@ -329,7 +342,7 @@ const getChildNode = (
 
   return {
     id: `${name}@${depData.version}`,
-    name: depInfo.alias?.aliasTargetDepName ?? name,
+    name: aliasInfo?.aliasTargetDepName ?? name,
     version: depData.version,
     dependencies: {
       ...dependencies,
@@ -339,9 +352,7 @@ const getChildNode = (
     isDev: depInfo.isDev,
     inBundle: depData.inBundle,
     key: childNodeKey,
-    ...(depInfo.alias
-      ? { alias: { ...depInfo.alias, version: depData.version } }
-      : {}),
+    ...(aliasInfo ? { alias: { ...aliasInfo, version: depData.version } } : {}),
   };
 };
 

test/jest/dep-graph-builders/aliases.test.ts

@@ -525,6 +525,44 @@ describe('Testing aliases for npm', () => {
     expect(JSON.stringify(newDepGraph)).toContain('[email protected]');
     expect(JSON.stringify(newDepGraph)).toContain('[email protected]');
   });
+  it('match aliased package in overrides - npm-lock-v2', async () => {
+    const pkgJsonContent = readFileSync(
+      join(
+        __dirname,
+        `./fixtures/npm-lock-v2/override-with-alias/package.json`,
+      ),
+      'utf8',
+    );
+    const pkgLockContent = readFileSync(
+      join(
+        __dirname,
+        `./fixtures/npm-lock-v2/override-with-alias/package-lock.json`,
+      ),
+      'utf8',
+    );
+
+    const newDepGraph = await parseNpmLockV2Project(
+      pkgJsonContent,
+      pkgLockContent,
+      {
+        includeDevDeps: true,
+        includeOptionalDeps: true,
+        pruneCycles: true,
+        strictOutOfSync: true,
+        honorAliases: true,
+      },
+    );
+
+    expect(newDepGraph).toBeDefined;
+    expect(() => JSON.parse(JSON.stringify(newDepGraph))).not.toThrow();
+
+    // elliptic should be aliased to dry-uninstall
+    const depGraphJson = JSON.stringify(newDepGraph);
+    expect(depGraphJson).toContain('dry-uninstall');
+
+    // Verify the alias metadata is present
+    expect(depGraphJson).toContain('"alias":"elliptic=>[email protected]"');
+  });
 });
 
 describe.each(['pnpm-lock-v5', 'pnpm-lock-v6', 'pnpm-lock-v9'])(