fix(nodejs): fix infinite loop when package link from package-lock.json file is broken (#6858)

2025-12-05 20:40:16 -08:00 · 2024-06-10 12:30:27 +06:00
parent 8491469f0b
commit cf5aa336e6
3 changed files with 43 additions and 3 deletions
--- a/pkg/dependency/parser/nodejs/npm/parse.go
+++ b/pkg/dependency/parser/nodejs/npm/parse.go
@@ -194,8 +194,16 @@ func (p *Parser) parseV2(packages map[string]Package) ([]ftypes.Package, []ftype
 // node_modules/func1 -> link to target
 // see `package-lock_v3_with_workspace.json` to better understanding
 func (p *Parser) resolveLinks(packages map[string]Package) {
-	links := lo.PickBy(packages, func(_ string, pkg Package) bool {
-		return pkg.Link
+	links := lo.PickBy(packages, func(pkgPath string, pkg Package) bool {
+		if !pkg.Link {
+			return false
+		}
+		if pkg.Resolved == "" {
+			p.logger.Warn("`package-lock.json` contains broken link with empty `resolved` field. This package will be skipped to avoid receiving an empty package", log.String("pkg", pkgPath))
+			delete(packages, pkgPath)
+			return false
+		}
+		return true
 	})
 	// Early return
 	if len(links) == 0 {
@@ -208,7 +216,9 @@ func (p *Parser) resolveLinks(packages map[string]Package) {
 	}

 	workspaces := rootPkg.Workspaces
-	for pkgPath, pkg := range packages {
+	// Changing the map during the map iteration causes unexpected behavior,
+	// so we need to iterate over the cloned `packages` map, but change the original `packages` map.
+	for pkgPath, pkg := range maps.Clone(packages) {
 		for linkPath, link := range links {
 			if !strings.HasPrefix(pkgPath, link.Resolved) {
 				continue
--- a/pkg/dependency/parser/nodejs/npm/parse_test.go
+++ b/pkg/dependency/parser/nodejs/npm/parse_test.go
@@ -53,6 +53,12 @@ func TestParse(t *testing.T) {
 			want:     npmV3WithoutRootDepsField,
 			wantDeps: npmV3WithoutRootDepsFieldDeps,
 		},
+		{
+			name:     "lock version v3 with broken link",
+			file:     "testdata/package-lock_v3_broken_link.json",
+			want:     nil,
+			wantDeps: nil,
+		},
 	}

 	for _, tt := range tests {
--- a/pkg/dependency/parser/nodejs/npm/testdata/package-lock_v3_broken_link.json
+++ b/pkg/dependency/parser/nodejs/npm/testdata/package-lock_v3_broken_link.json
@@ -0,0 +1,24 @@
+{
+  "name": "node_v3_without_direct_deps",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "node_v3_without_direct_deps",
+      "version": "1.0.0",
+      "license": "ISC"
+    },
+    "functions/func1": {
+      "version": "1.0.0",
+      "license": "ISC",
+      "dependencies": {
+        "debug": "^2.6.9"
+      }
+    },
+    "node_modules/func1": {
+      "resolved": "",
+      "link": true
+    }
+  }
+}