github.com/anchore/syft@v1.38.2/syft/pkg/npm.go

github.com/anchore/syft@v1.38.2/syft/pkg/npm.go (about)

     1  package pkg
     2  
     3  // NpmPackage represents the contents of a javascript package.json file.
     4  type NpmPackage struct {
     5  	// Name is the package name as found in package.json
     6  	Name string `mapstructure:"name" json:"name"`
     7  
     8  	// Version is the package version as found in package.json
     9  	Version string `mapstructure:"version" json:"version"`
    10  
    11  	// Author is package author name
    12  	Author string `mapstructure:"author" json:"author"`
    13  
    14  	// Homepage is project homepage URL
    15  	Homepage string `mapstructure:"homepage" json:"homepage"`
    16  
    17  	// Description is a human-readable package description
    18  	Description string `mapstructure:"description" json:"description"`
    19  
    20  	// URL is repository or project URL
    21  	URL string `mapstructure:"url" json:"url"`
    22  
    23  	// Private is whether this is a private package
    24  	Private bool `mapstructure:"private" json:"private"`
    25  }
    26  
    27  // NpmPackageLockEntry represents a single entry within the "packages" section of a package-lock.json file.
    28  type NpmPackageLockEntry struct {
    29  	// Resolved is URL where this package was downloaded from (registry source)
    30  	Resolved string `mapstructure:"resolved" json:"resolved"`
    31  
    32  	// Integrity is Subresource Integrity hash for verification using standard SRI format (sha512-... or sha1-...). npm changed from SHA-1 to SHA-512 in newer versions. For registry sources this is the integrity from registry, for remote tarballs it's SHA-512 of the file. npm verifies tarball matches this hash before unpacking, throwing EINTEGRITY error if mismatch detected.
    33  	Integrity string `mapstructure:"integrity" json:"integrity"`
    34  
    35  	// Dependencies is a map of dependencies and their version markers, i.e. "lodash": "^1.0.0"
    36  	Dependencies map[string]string `mapstructure:"dependencies" json:"dependencies"`
    37  }
    38  
    39  // YarnLockEntry represents a single entry section of a yarn.lock file.
    40  type YarnLockEntry struct {
    41  	// Resolved is URL where this package was downloaded from
    42  	Resolved string `mapstructure:"resolved" json:"resolved"`
    43  
    44  	// Integrity is Subresource Integrity hash for verification (SRI format)
    45  	Integrity string `mapstructure:"integrity" json:"integrity"`
    46  
    47  	// Dependencies is a map of dependencies and their versions
    48  	Dependencies map[string]string `mapstructure:"dependencies" json:"dependencies"`
    49  }
    50  
    51  // PnpmLockResolution contains package resolution metadata from pnpm lockfiles, including the integrity hash used for verification.
    52  type PnpmLockResolution struct {
    53  	// Integrity is Subresource Integrity hash for verification (SRI format)
    54  	Integrity string `mapstructure:"integrity" json:"integrity"`
    55  }
    56  
    57  // PnpmLockEntry represents a single entry in the "packages" section of a pnpm-lock.yaml file.
    58  type PnpmLockEntry struct {
    59  	// Resolution is the resolution information for the package
    60  	Resolution PnpmLockResolution `mapstructure:"resolution" json:"resolution"`
    61  
    62  	// Dependencies is a map of dependencies and their versions
    63  	Dependencies map[string]string `mapstructure:"dependencies" json:"dependencies"`
    64  }