You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Processing a package that has multiple main fields in package.json causes an error. As far as I know, packages are intended to have only one main field, but this is not enforced by the package manager or registry. There are some packages with multiple main fields which vuln-reach does not process.
JS runtimes can import [email protected] just fine. This particular case is easy to resolve, because the file referenced in the first main field does not exist. Maybe the CommonJS / esm spec define how to handle multiple main fields in a more general way. It might be worthwhile to implement the same resolution mechanism that JS runtimes use.
Expected Behavior
vuln-reach performs reachability analysis on projects that have browserify-zlib has a dependency
The JSON standard explicitly refrains from providing guidance in this case:
The JSON syntax does not impose any restrictions on the strings used as names, does not require that name strings be unique, and does not assign any significance to the ordering of name/value pairs. These are all semantic considerations that may be defined by JSON processors or in specifications defining specific uses of JSON for data interchange.
It appears the implementation of serde_json chose to error out, which I believe is reasonable: most data structures that could possibly deserialize from a JSON dictionary have unique keys, and no commonly accepted strategy for exceptions is defined, so I think the assumption that non-unique keys on the serialized side are an error makes sense.
Besides, this instance of key duplication was an error that npm silently accepted at the moment the package was published.
That being said, I assume that those JSONs are parsed via JSON.parse which seemingly keeps the last key. I can look into its spec to validate that, and then look into whether serde_json allows workarounds for this case.
Description
Processing a package that has multiple
main
fields in package.json causes an error. As far as I know, packages are intended to have only onemain
field, but this is not enforced by the package manager or registry. There are some packages with multiple main fields which vuln-reach does not process.For example,
[email protected]
has this package.json:JS runtimes can import
[email protected]
just fine. This particular case is easy to resolve, because the file referenced in the first main field does not exist. Maybe the CommonJS / esm spec define how to handle multiple main fields in a more general way. It might be worthwhile to implement the same resolution mechanism that JS runtimes use.Expected Behavior
vuln-reach performs reachability analysis on projects that have
browserify-zlib
has a dependencyActual Behavior
Config: https://gitlab.com/-/snippets/3623569
The text was updated successfully, but these errors were encountered: