snyk-nuget-plugin - npm Package Compare versions

Comparing version 2.2.0 to 2.2.1

dist/nuget-parser/parsers/dotnet-core-v2-parser.d.ts

 import * as depGraphLib from '@snyk/dep-graph';
 import { AssemblyVersions, ProjectAssets, TargetFrameworkInfo } from '../types';
+export declare const FILTERED_DEPENDENCY_PREFIX: string[];
 export declare function parse(projectName: string, projectAssets: ProjectAssets, runtimeAssembly: AssemblyVersions, targetFrameworkInfo: TargetFrameworkInfo): depGraphLib.DepGraph;

dist/nuget-parser/parsers/dotnet-core-v2-parser.js

 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parse = void 0;
+exports.parse = exports.FILTERED_DEPENDENCY_PREFIX = void 0;
 const debugModule = require("debug");
@@ -9,3 +9,10 @@ const dep_graph_1 = require("@snyk/dep-graph");
 // Dependencies that starts with these are discarded
-const FILTERED_DEPENDENCY_PREFIX = ['runtime'];
+exports.FILTERED_DEPENDENCY_PREFIX = [
+    // `runtime` and `runtime.native` are a bit of a hot topic, see more https://github.com/dotnet/core/issues/7568.
+    // For our case, we are already creating the correct dependencies and their respective runtime version numbers based
+    // of our runtime resolution logic. So a dependency will already be `System.Net.Http@8.0.0` if running on .NET 8, thus
+    // removing the need for a `runtime.native.System.Net.Http@8.0.0` as well. From our investigation these runtime native
+    // dependencies are causing noise for the customers and are not of interested.
+    'runtime',
+];
 // The list of top level dependencies and transitive dependencies differ based on the target runtime we've defined.
@@ -42,2 +49,8 @@ // In the generated dependency file created by the `dotnet` CLI, this is organized by the target framework moniker (TFM).
         const version = depNode[1];
+        // Ignore packages with specific prefixes, which for one reason or the other are no interesting and pollutes the
+        // graph. Refer to comments on the individual elements in the ignore list for more information.
+        if (exports.FILTERED_DEPENDENCY_PREFIX.some((prefix) => name.startsWith(prefix))) {
+            debug(`${name} matched a prefix we ignore, not adding to graph`);
+            continue;
+        }
         const childNode = {
@@ -101,6 +114,2 @@ ...targetDeps[`${name}/${version}`],
         const [nameWithVersion, pkg] = entry;
-        // Ignore packages with specific prefixes, which for one reason or the other are no interesting and pollutes the graph.
-        if (FILTERED_DEPENDENCY_PREFIX.some((prefix) => nameWithVersion.startsWith(prefix))) {
-            return acc;
-        }
         return { ...acc, [nameWithVersion]: pkg };
@@ -107,0 +116,0 @@ }, {});

dist/nuget-parser/runtime-assembly.js

@@ -17,2 +17,4 @@ "use strict";
 // See https://natemcmaster.com/blog/2017/12/21/netcore-primitives/ for a good overview.
+// And https://github.com/dotnet/sdk/blob/main/documentation/specs/runtime-configuration-file.md for the official
+// explanation of what the `deps.json` file is doing that we are traversing.
 function generateRuntimeAssemblies(filePath) {
@@ -19,0 +21,0 @@ debug('extracting runtime assemblies from ' + filePath);

package.json

@@ -61,3 +61,3 @@ {
   },
-  "version": "2.2.0"
+  "version": "2.2.1"
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

135222

increased by2.06%

Lines of code

1833

increased by0.66%

No dependency changes