Refactor NPM package updater #1024
Open
+1,564
−224
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… location extraction for a given VulnerabilityDetails
eranturgeman
added
safe to test
github-actions
bot
removed
the
safe to test
…r-npm-package-updater
Collaborator
|
please provide a link to a fix pr |
eyalk007
requested changes
Jan 8, 2026
Collaborator
eyalk007
left a comment
eyalk007
left a comment
There was a problem hiding this comment.
reviewed most of files
please tell me you are done so i can rereveiw
orto17
reviewed
Jan 12, 2026
orto17
reviewed
Jan 12, 2026
orto17
reviewed
Jan 12, 2026
orto17
reviewed
Jan 12, 2026
orto17
reviewed
Jan 12, 2026
orto17
reviewed
Jan 12, 2026
orto17
reviewed
Jan 12, 2026
orto17
reviewed
Jan 12, 2026
Contributor
Author
https://github.com/eranturgeman/npm-small/pull/14 
|
eranturgeman
added
the
safe to test
github-actions
bot
removed
the
safe to test
orto17
reviewed
Jan 21, 2026
eyalk007
reviewed
Jan 21, 2026
eranturgeman
added
the
safe to test
github-actions
bot
removed
the
safe to test
…r-npm-package-updater
eranturgeman
added
the
safe to test
github-actions
bot
removed
the
safe to test
Contributor
eyalk007
reviewed
Jan 26, 2026
eyalk007
reviewed
Jan 26, 2026
eyalk007
reviewed
Jan 26, 2026
Comment on lines
+130
to
+181
| func (npm *NpmPackageUpdater) fixVulnerabilityAndRegenerateLockIfNeeded(vulnDetails *utils.VulnerabilityDetails, descriptorPath string, originalWd string, vulnRegexp *regexp.Regexp) (err error) { | ||
| descriptorContent, err := os.ReadFile(descriptorPath) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to read file '%s': %w", descriptorPath, err) | ||
| } | ||
|
|
||
| if !vulnRegexp.MatchString(strings.ToLower(string(descriptorContent))) { | ||
| return fmt.Errorf("dependency '%s' not found in descriptor '%s' despite lock file evidence", vulnDetails.ImpactedDependencyName, descriptorPath) | ||
| } | ||
|
|
||
| backupContent := make([]byte, len(descriptorContent)) | ||
| copy(backupContent, descriptorContent) | ||
| updatedContent, err := npm.updateVersionInDescriptor(descriptorContent, vulnDetails.ImpactedDependencyName, vulnDetails.SuggestedFixedVersion, descriptorPath) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to update version in descriptor: %w", err) | ||
| } | ||
|
|
||
| if err = os.WriteFile(descriptorPath, updatedContent, 0644); err != nil { | ||
| return fmt.Errorf("failed to write updated descriptor '%s': %w", descriptorPath, err) | ||
| } | ||
|
|
||
| descriptorDir := filepath.Dir(descriptorPath) | ||
| if err = os.Chdir(descriptorDir); err != nil { | ||
| return fmt.Errorf("failed to change directory to '%s': %w", descriptorDir, err) | ||
| } | ||
| defer func() { | ||
| if chErr := os.Chdir(originalWd); chErr != nil { | ||
| err = errors.Join(err, fmt.Errorf("failed to return to original directory: %w", chErr)) | ||
| } | ||
| }() | ||
|
|
||
| lockFileTracked, checkErr := utils.IsFileTrackedByGit(npmLockFileName, originalWd) | ||
| if checkErr != nil { | ||
| log.Debug(fmt.Sprintf("Failed to check if lock file is tracked in git: %s. Proceeding with lock file regeneration.", checkErr.Error())) | ||
| lockFileTracked = true | ||
| } | ||
|
|
||
| if !lockFileTracked { | ||
| log.Debug(fmt.Sprintf("Lock file '%s' does not exist in remote, skipping lock file regeneration", npmLockFileName)) | ||
| log.Debug(fmt.Sprintf("Successfully updated '%s' from version '%s' to '%s' in descriptor '%s' without regenerating lock file", vulnDetails.ImpactedDependencyName, vulnDetails.ImpactedDependencyVersion, vulnDetails.SuggestedFixedVersion, descriptorPath)) | ||
| return | ||
| } | ||
|
|
||
| if err = npm.regenerateLockFileWithRetry(); err != nil { | ||
| log.Warn(fmt.Sprintf("Failed to regenerate lock file after updating '%s' to version '%s': %s. Rolling back...", vulnDetails.ImpactedDependencyName, vulnDetails.SuggestedFixedVersion, err.Error())) | ||
| if rollbackErr := os.WriteFile(descriptorPath, backupContent, 0644); rollbackErr != nil { | ||
| return fmt.Errorf("failed to rollback descriptor after lock file regeneration failure: %w (original error: %v)", rollbackErr, err) | ||
| } | ||
| return err | ||
| } | ||
| log.Debug(fmt.Sprintf("Successfully updated '%s' from version '%s' to '%s' in descriptor '%s'", vulnDetails.ImpactedDependencyName, vulnDetails.ImpactedDependencyVersion, vulnDetails.SuggestedFixedVersion, descriptorPath)) | ||
| return nil |
Collaborator
There was a problem hiding this comment.
as i said before this fucntion does multiple things at once, and is 60 lines long and that is making it hard to read, also this is seperation of concerns
separate them
something like this
func (npm *NpmPackageUpdater) updateDirectDependency(vulnDetails *utils.VulnerabilityDetails) error {
descriptorPaths, err := npm.getDescriptorsToFixFromVulnerability(vulnDetails)
if err != nil {
return err
}
initialWd, err := os.Getwd()
if err != nil {
return fmt.Errorf("failed to get current working directory: %w", err)
}
vulnRegexp := BuildPackageRegex(vulnDetails.ImpactedDependencyName, npmDependencyRegexpPattern)
for _, descriptorPath := range descriptorPaths {
// 1. Fix the descriptor
backup, err := npm.fixDescriptor(vulnDetails, descriptorPath, vulnRegexp)
if err != nil {
log.Warn(...)
continue
}
// 2. Check if lockfile is tracked
descriptorDir := filepath.Dir(descriptorPath)
if isTracked, _ := npm.isLockfileTracked(descriptorDir, initialWd); !isTracked {
log.Debug("Lockfile not tracked, skipping regeneration")
continue
}
// 3. Regenerate lockfile (with rollback on failure)
if err := npm.regenerateLockFile(descriptorPath, descriptorDir, backup); err != nil {
log.Warn(...)
continue
}
}
return nil
}
this is just pseudo code but there should be a concept of separation not just one big function
eyalk007
reviewed
Jan 26, 2026
| return nil | ||
| } | ||
|
|
||
| func (npm *NpmPackageUpdater) updateVersionInDescriptor(content []byte, packageName, newVersion, descriptorPath string) ([]byte, error) { |
Collaborator
There was a problem hiding this comment.
Consider replacing manual JSON parsing with tidwall/sjson library:
will remove all the edge cases handling and around 70 lines from file
eyalk007
reviewed
Jan 26, 2026
|
|
||
| escapedName := regexp.QuoteMeta(packageName) | ||
| replacePattern := fmt.Sprintf(npmDependencyReplacePattern, escapedName) | ||
| replaceRegex := regexp.MustCompile("(?i)" + replacePattern) |
Collaborator
There was a problem hiding this comment.
npm is case sensitive not sure this is correct
eyalk007
reviewed
Jan 26, 2026
| } | ||
|
|
||
| // Creates an environment slice with npm isolation variables that override user's .npmrc settings for specific options while allowing registry configuration to pass through | ||
| func (npm *NpmPackageUpdater) buildIsolatedEnv() []string { |
eyalk007
reviewed
Jan 26, 2026
eyalk007
requested changes
Jan 26, 2026
Collaborator
eyalk007
left a comment
eyalk007
left a comment
There was a problem hiding this comment.
looks a lot better please look at my comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR changes the NPM package handler to test-based fixes instead of cli command fixes.
As past of the change we ease the installation after a fix is performed to only regenerate the lock file, hence reducing the strict build process we used to have and make the process less error prone
Missing testcase:
We need to add a new integration test test case to TestScanRepositoryCmd_Run that verifies we do not regenerate a lock file if it doesnt exists in remote. since the TestScanRepositoryCmd_Run is not passing right now and we need to fix it I added it to the overall test plan for future addition