github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/packagehandlers/npmpackagehandler.go (about) 1 package packagehandlers 2 3 import ( 4 "fmt" 5 "github.com/jfrog/frogbot/utils" 6 "github.com/jfrog/jfrog-client-go/utils/io/fileutils" 7 ) 8 9 const ( 10 npmInstallPackageLockOnlyFlag = "--package-lock-only" 11 npmInstallIgnoreScriptsFlag = "--ignore-scripts" 12 ) 13 14 type NpmPackageHandler struct { 15 CommonPackageHandler 16 } 17 18 func (npm *NpmPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) error { 19 if vulnDetails.IsDirectDependency { 20 return npm.updateDirectDependency(vulnDetails) 21 } else { 22 return &utils.ErrUnsupportedFix{ 23 PackageName: vulnDetails.ImpactedDependencyName, 24 FixedVersion: vulnDetails.SuggestedFixedVersion, 25 ErrorType: utils.IndirectDependencyFixNotSupported, 26 } 27 } 28 } 29 30 func (npm *NpmPackageHandler) updateDirectDependency(vulnDetails *utils.VulnerabilityDetails) (err error) { 31 isNodeModulesExists, err := fileutils.IsDirExists("node_modules", false) 32 if err != nil { 33 err = fmt.Errorf("failed while serching for node_modules in project: %s", err.Error()) 34 return 35 } 36 37 commandFlags := []string{npmInstallIgnoreScriptsFlag} 38 if !isNodeModulesExists { 39 // In case node_modules don't exist in current dir the fix will update only package.json and package-lock.json 40 commandFlags = append(commandFlags, npmInstallPackageLockOnlyFlag) 41 } 42 return npm.CommonPackageHandler.UpdateDependency(vulnDetails, vulnDetails.Technology.GetPackageInstallationCommand(), commandFlags...) 43 }