github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/packagehandlers/npmpackagehandler.go

github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/packagehandlers/npmpackagehandler.go (about)

     1  package packagehandlers
     2  
     3  import (
     4  	"fmt"
     5  	"github.com/jfrog/frogbot/utils"
     6  	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
     7  )
     8  
     9  const (
    10  	npmInstallPackageLockOnlyFlag = "--package-lock-only"
    11  	npmInstallIgnoreScriptsFlag   = "--ignore-scripts"
    12  )
    13  
    14  type NpmPackageHandler struct {
    15  	CommonPackageHandler
    16  }
    17  
    18  func (npm *NpmPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) error {
    19  	if vulnDetails.IsDirectDependency {
    20  		return npm.updateDirectDependency(vulnDetails)
    21  	} else {
    22  		return &utils.ErrUnsupportedFix{
    23  			PackageName:  vulnDetails.ImpactedDependencyName,
    24  			FixedVersion: vulnDetails.SuggestedFixedVersion,
    25  			ErrorType:    utils.IndirectDependencyFixNotSupported,
    26  		}
    27  	}
    28  }
    29  
    30  func (npm *NpmPackageHandler) updateDirectDependency(vulnDetails *utils.VulnerabilityDetails) (err error) {
    31  	isNodeModulesExists, err := fileutils.IsDirExists("node_modules", false)
    32  	if err != nil {
    33  		err = fmt.Errorf("failed while serching for node_modules in project: %s", err.Error())
    34  		return
    35  	}
    36  
    37  	commandFlags := []string{npmInstallIgnoreScriptsFlag}
    38  	if !isNodeModulesExists {
    39  		// In case node_modules don't exist in current dir the fix will update only package.json and package-lock.json
    40  		commandFlags = append(commandFlags, npmInstallPackageLockOnlyFlag)
    41  	}
    42  	return npm.CommonPackageHandler.UpdateDependency(vulnDetails, vulnDetails.Technology.GetPackageInstallationCommand(), commandFlags...)
    43  }