Merge pull request #289 from snyk/feat/OSM-3009/handle-missing-optional-deps

JamesPatrickGill · web-flow · commit 3cbdaa52c7c1 · 2025-10-21T09:15:54.000+01:00
feat: [OSM-3009] handle optional dependencies without separate packag…
diff --git a/lib/dep-graph-builders/npm-lock-v2/index.ts b/lib/dep-graph-builders/npm-lock-v2/index.ts
@@ -208,6 +208,7 @@ const getChildNode = (
   depInfo: {
     version: string;
     isDev: boolean;
+    isOptional?: boolean;
     alias?: {
       aliasName: string;
       aliasTargetDepName: string;
@@ -272,6 +273,19 @@ const getChildNode = (
   );
 
   if (!childNodeKey) {
+    // Handle optional dependencies that don't have separate package entries
+    if (depInfo.isOptional) {
+      return {
+        id: `${name}@${depInfo.version}`,
+        name: name,
+        version: depInfo.version,
+        dependencies: {},
+        isDev: depInfo.isDev,
+        missingLockFileEntry: true,
+        key: '',
+      };
+    }
+
     // https://snyksec.atlassian.net/wiki/spaces/SCA/pages/3785687123/NPM+Bundled+Dependencies+Analysis
     // Check if this dependency is bundled in the parent package
     // Bundled dependencies may not have separate lockfile entries when
@@ -339,17 +353,21 @@ const getChildNode = (
     depData = pkgs[depData.resolved as string];
   }
 
-  const dependencies = getGraphDependencies(
-    depData.dependencies || {},
-    depInfo.isDev,
-  );
+  const dependencies = getGraphDependencies(depData.dependencies || {}, {
+    isDev: depInfo.isDev,
+  });
 
   const devDependencies = includeDevDeps
-    ? getGraphDependencies(depData.devDependencies || {}, depInfo.isDev)
+    ? getGraphDependencies(depData.devDependencies || {}, {
+        isDev: depInfo.isDev,
+      })
     : {};
 
   const optionalDependencies = includeOptionalDeps
-    ? getGraphDependencies(depData.optionalDependencies || {}, depInfo.isDev)
+    ? getGraphDependencies(depData.optionalDependencies || {}, {
+        isDev: depInfo.isDev,
+        isOptional: true,
+      })
     : {};
 
   return {
diff --git a/lib/dep-graph-builders/pnpm/utils.ts b/lib/dep-graph-builders/pnpm/utils.ts
@@ -57,15 +57,17 @@ export const getPnpmChildNode = (
     }
   } else {
     const depData = pkgs[childNodeKey];
-    const dependencies = getGraphDependencies(
-      depData.dependencies || {},
-      depInfo.isDev,
-    );
+    const dependencies = getGraphDependencies(depData.dependencies || {}, {
+      isDev: depInfo.isDev,
+    });
     const devDependencies = includeDevDeps
-      ? getGraphDependencies(depData.devDependencies || {}, true)
+      ? getGraphDependencies(depData.devDependencies || {}, { isDev: true })
       : {};
     const optionalDependencies = includeOptionalDeps
-      ? getGraphDependencies(depData.optionalDependencies || {}, depInfo.isDev)
+      ? getGraphDependencies(depData.optionalDependencies || {}, {
+          isDev: depInfo.isDev,
+          isOptional: true,
+        })
       : {};
     return {
       id: `${depData.name}@${depData.version}`,
diff --git a/lib/dep-graph-builders/util.ts b/lib/dep-graph-builders/util.ts
@@ -5,7 +5,10 @@ import { NormalisedPkgs } from './types';
 import { OutOfSyncError } from '../errors';
 import { LockfileType } from '../parsers';
 
-export type Dependencies = Record<string, { version: string; isDev: boolean }>;
+export type Dependencies = Record<
+  string,
+  { version: string; isDev: boolean; isOptional?: boolean }
+>;
 
 export interface PkgNode {
   id: string;
@@ -61,16 +64,23 @@ export const getTopLevelDeps = (
     includePeerDeps?: boolean;
   },
 ): Dependencies => {
-  const prodDeps = getGraphDependencies(pkgJson.dependencies || {}, false);
+  const prodDeps = getGraphDependencies(pkgJson.dependencies || {}, {
+    isDev: false,
+  });
 
-  const devDeps = getGraphDependencies(pkgJson.devDependencies || {}, true);
+  const devDeps = getGraphDependencies(pkgJson.devDependencies || {}, {
+    isDev: true,
+  });
 
   const optionalDeps = options.includeOptionalDeps
-    ? getGraphDependencies(pkgJson.optionalDependencies || {}, false)
+    ? getGraphDependencies(pkgJson.optionalDependencies || {}, {
+        isDev: false,
+        isOptional: true,
+      })
     : {};
 
   const peerDeps = options.includePeerDeps
-    ? getGraphDependencies(pkgJson.peerDependencies || {}, false)
+    ? getGraphDependencies(pkgJson.peerDependencies || {}, { isDev: false })
     : {};
 
   const deps = { ...prodDeps, ...optionalDeps, ...peerDeps };
@@ -108,11 +118,18 @@ export const getTopLevelDeps = (
  */
 export const getGraphDependencies = (
   dependencies: Record<string, string>,
-  isDev,
+  options: {
+    isDev: boolean;
+    isOptional?: boolean;
+  },
 ): Dependencies => {
   return Object.entries(dependencies).reduce(
     (pnpmDeps: Dependencies, [name, semver]) => {
-      pnpmDeps[name] = { version: semver, isDev: isDev };
+      pnpmDeps[name] = {
+        version: semver,
+        isDev: options.isDev,
+        isOptional: options.isOptional || false,
+      };
       return pnpmDeps;
     },
     {},
@@ -138,6 +155,7 @@ export const getChildNode = (
   depInfo: {
     version: string;
     isDev: boolean;
+    isOptional?: boolean;
     alias?: {
       aliasName: string;
       aliasTargetDepName: string;
@@ -153,7 +171,18 @@ export const getChildNode = (
   let childNode: PkgNode;
 
   if (!pkgs[childNodeKey]) {
-    if (strictOutOfSync && !/^file:/.test(depInfo.version)) {
+    // Handle optional dependencies that don't have separate package entries
+    if (depInfo.isOptional) {
+      childNode = {
+        id: childNodeKey,
+        name: depInfo.alias?.aliasTargetDepName ?? name,
+        version: depInfo.version,
+        dependencies: {},
+        isDev: depInfo.isDev,
+        missingLockFileEntry: true,
+        alias: depInfo.alias,
+      };
+    } else if (strictOutOfSync && !/^file:/.test(depInfo.version)) {
       throw new OutOfSyncError(childNodeKey, LockfileType.yarn);
     } else {
       childNode = {
@@ -168,12 +197,14 @@ export const getChildNode = (
     }
   } else {
     const depData = pkgs[childNodeKey];
-    const dependencies = getGraphDependencies(
-      depData.dependencies || {},
-      depInfo.isDev,
-    );
+    const dependencies = getGraphDependencies(depData.dependencies || {}, {
+      isDev: depInfo.isDev,
+    });
     const optionalDependencies = includeOptionalDeps
-      ? getGraphDependencies(depData.optionalDependencies || {}, depInfo.isDev)
+      ? getGraphDependencies(depData.optionalDependencies || {}, {
+          isDev: depInfo.isDev,
+          isOptional: true,
+        })
       : {};
     childNode = {
       id: `${name}@${depData.version}`,
diff --git a/lib/dep-graph-builders/yarn-lock-v2/utils.ts b/lib/dep-graph-builders/yarn-lock-v2/utils.ts
@@ -188,12 +188,14 @@ export const getYarnLockV2ChildNode = (
       optionalDependencies,
     } = pkgs[childNodeKeyFromResolution];
 
-    const formattedDependencies = getGraphDependencies(
-      dependencies || {},
-      depInfo.isDev,
-    );
+    const formattedDependencies = getGraphDependencies(dependencies || {}, {
+      isDev: depInfo.isDev,
+    });
     const formattedOptionalDependencies = includeOptionalDeps
-      ? getGraphDependencies(optionalDependencies || {}, depInfo.isDev)
+      ? getGraphDependencies(optionalDependencies || {}, {
+          isDev: depInfo.isDev,
+          isOptional: true,
+        })
       : {};
 
     return {
@@ -231,12 +233,14 @@ export const getYarnLockV2ChildNode = (
     }
   } else {
     const depData = pkgs[childNodeKey];
-    const dependencies = getGraphDependencies(
-      depData.dependencies || {},
-      depInfo.isDev,
-    );
+    const dependencies = getGraphDependencies(depData.dependencies || {}, {
+      isDev: depInfo.isDev,
+    });
     const optionalDependencies = includeOptionalDeps
-      ? getGraphDependencies(depData.optionalDependencies || {}, depInfo.isDev)
+      ? getGraphDependencies(depData.optionalDependencies || {}, {
+          isDev: depInfo.isDev,
+          isOptional: true,
+        })
       : {};
     return {
       id: `${name}@${depData.version}`,
diff --git a/test/jest/dep-graph-builders/fixtures/npm-lock-v2/missing-optional-dep-minimal/expected.json b/test/jest/dep-graph-builders/fixtures/npm-lock-v2/missing-optional-dep-minimal/expected.json
@@ -0,0 +1,110 @@
+{
+  "schemaVersion": "1.3.0",
+  "pkgManager": {
+    "name": "npm"
+  },
+  "pkgs": [
+    {
+      "id": "test-optional-deps@1.0.0",
+      "info": {
+        "name": "test-optional-deps",
+        "version": "1.0.0"
+      }
+    },
+    {
+      "id": "@parcel/watcher@2.5.1",
+      "info": {
+        "name": "@parcel/watcher",
+        "version": "2.5.1"
+      }
+    },
+    {
+      "id": "@parcel/watcher-darwin-x64@2.5.1",
+      "info": {
+        "name": "@parcel/watcher-darwin-x64",
+        "version": "2.5.1"
+      }
+    },
+    {
+      "id": "@parcel/watcher-darwin-arm64@2.5.1",
+      "info": {
+        "name": "@parcel/watcher-darwin-arm64",
+        "version": "2.5.1"
+      }
+    },
+    {
+      "id": "@parcel/watcher-linux-x64-glibc@2.5.1",
+      "info": {
+        "name": "@parcel/watcher-linux-x64-glibc",
+        "version": "2.5.1"
+      }
+    }
+  ],
+  "graph": {
+    "rootNodeId": "root-node",
+    "nodes": [
+      {
+        "nodeId": "root-node",
+        "pkgId": "test-optional-deps@1.0.0",
+        "deps": [
+          {
+            "nodeId": "@parcel/watcher@2.5.1"
+          }
+        ]
+      },
+      {
+        "nodeId": "@parcel/watcher@2.5.1",
+        "pkgId": "@parcel/watcher@2.5.1",
+        "deps": [
+          {
+            "nodeId": "@parcel/watcher-darwin-x64@2.5.1"
+          },
+          {
+            "nodeId": "@parcel/watcher-darwin-arm64@2.5.1"
+          },
+          {
+            "nodeId": "@parcel/watcher-linux-x64-glibc@2.5.1"
+          }
+        ],
+        "info": {
+          "labels": {
+            "scope": "prod"
+          }
+        }
+      },
+      {
+        "nodeId": "@parcel/watcher-darwin-x64@2.5.1",
+        "pkgId": "@parcel/watcher-darwin-x64@2.5.1",
+        "deps": [],
+        "info": {
+          "labels": {
+            "scope": "prod",
+            "missingLockFileEntry": "true"
+          }
+        }
+      },
+      {
+        "nodeId": "@parcel/watcher-darwin-arm64@2.5.1",
+        "pkgId": "@parcel/watcher-darwin-arm64@2.5.1",
+        "deps": [],
+        "info": {
+          "labels": {
+            "scope": "prod",
+            "missingLockFileEntry": "true"
+          }
+        }
+      },
+      {
+        "nodeId": "@parcel/watcher-linux-x64-glibc@2.5.1",
+        "pkgId": "@parcel/watcher-linux-x64-glibc@2.5.1",
+        "deps": [],
+        "info": {
+          "labels": {
+            "scope": "prod",
+            "missingLockFileEntry": "true"
+          }
+        }
+      }
+    ]
+  }
+}
diff --git a/test/jest/dep-graph-builders/fixtures/npm-lock-v2/missing-optional-dep-minimal/package-lock.json b/test/jest/dep-graph-builders/fixtures/npm-lock-v2/missing-optional-dep-minimal/package-lock.json
diff --git a/test/jest/dep-graph-builders/fixtures/npm-lock-v2/missing-optional-dep-minimal/package.json b/test/jest/dep-graph-builders/fixtures/npm-lock-v2/missing-optional-dep-minimal/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "test-optional-deps",
+  "version": "1.0.0",
+  "description": "Minimal test for optional dependencies without separate package entries",
+  "dependencies": {
+    "@parcel/watcher": "^2.4.1"
+  }
+}
diff --git a/test/jest/dep-graph-builders/npm-lock-v2.test.ts b/test/jest/dep-graph-builders/npm-lock-v2.test.ts
@@ -23,6 +23,7 @@ describe('dep-graph-builder npm-lock-v2', () => {
         'local-pkg-without-workspaces',
         'dist-tag-sub-dependency',
         'bundled-top-level-dep',
+        'missing-optional-dep-minimal',
       ])('[simple tests] project: %s ', (fixtureName) => {
         it('matches expected', async () => {
           const pkgJsonContent = readFileSync(
