Skip to content

fix(nodejs): use the default ID format to match licenses in pnpm packages. #9661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2025
Merged

fix(nodejs): use the default ID format to match licenses in pnpm packages. #9661

merged 1 commit into from
Oct 14, 2025

Conversation

@DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Oct 14, 2025

Description

Fix pnpm license matching by using the correct dependency ID format.
Previously, pnpm packages were not getting their license information populated because the license matching logic was using snapshot-based IDs instead of the standard dependency ID format used by package.json analyzers.

Changes:

  • Modified pkg/fanal/analyzer/language/nodejs/pnpm/pnpm.go to use dependency.ID() function to generate consistent IDs for license matching
  • Added test case with PNPM v9 lockfile that includes license information to verify the fix
  • License information now correctly populates for pnpm dependencies (e.g., vue-router shows "MIT" license)

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen
fix(pnpm): use correct ID for license match
7d7fe34 
- use dependency.ID to match licenses
- add test
@DmitriyLewen DmitriyLewen self-assigned this Oct 14, 2025
@DmitriyLewen DmitriyLewen added the autoready Automatically mark PR as ready for review when all checks pass label Oct 14, 2025
@DmitriyLewen DmitriyLewen changed the title fix(pnpm): use correct ID for license match fix(nodejs):Use the default ID format to match licenses in pnpm packages. Oct 14, 2025
@DmitriyLewen DmitriyLewen changed the title fix(nodejs):Use the default ID format to match licenses in pnpm packages. fix(nodejs): use the default ID format to match licenses in pnpm packages. Oct 14, 2025
@DmitriyLewen DmitriyLewen marked this pull request as ready for review October 14, 2025 10:57
@DmitriyLewen DmitriyLewen removed the autoready Automatically mark PR as ready for review when all checks pass label Oct 14, 2025
@DmitriyLewen DmitriyLewen added this pull request to the merge queue Oct 14, 2025
Merged via the queue into aquasecurity:main with commit 804ea4a Oct 14, 2025
14 of 16 checks passed
@DmitriyLewen DmitriyLewen deleted the fix/pnpm/license-ids branch October 14, 2025 11:36
@aqua-bot aqua-bot mentioned this pull request Oct 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(pnpm): Trivy doesn't detect licenses for packages when ID contains peer deps

2 participants

@DmitriyLewen @knqyf263