You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
WARN Unable to parse "package.json" to remove dev dependencies: unable to parse .: parse error: JSON decode error: json: cannot unmarshal object into Go struct field packageJSON.workspaces of type []string
Parsing package.json files does not fail when workspaces object notation is used.
Actual Behavior
Parser fails and warning gets emitted:
WARN Unable to parse "package.json" to remove dev dependencies: unable to parse .: parse error: JSON decode error: json: cannot unmarshal object into Go struct field packageJSON.workspaces of type []string
Reproduction Steps
1. Close or create a project with workspaces object notation (e.g., https://github.com/backstage/backstage/blob/master/package.json#L52)
2. Run `trivy fs .`
Target
Filesystem
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
-
Operating System
MacOS Venture 13.6
Version
2024-02-13T10:23:25.765+0100 INFO Loaded trivy.yaml
Version: 0.47.0
Vulnerability DB:
Version: 2
UpdatedAt: 2024-02-13 06:11:52.656032521 +0000 UTC
NextUpdate: 2024-02-13 12:11:52.656032281 +0000 UTC
DownloadedAt: 2024-02-13 08:38:29.761065 +0000 UTC
Policy Bundle:
Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
DownloadedAt: 2023-11-24 02:43:02.401033 +0000 UTC
I got the same issue while parsing package-lock.json .
Description :
Currently, the workspaces field in package-lock.json files is only allowed to be an array of strings. However, it has also an object version.
Example:
"workspaces": {
"nohoist": [
"**"
]
}
Desired Behavior
Parsing package-lock.json files does not fail when workspaces object notation is used.
Actual Behavior DEBUG Walk error file_path="package-lock.json" err="parse error: failed to parse package-lock.json: decode error: cannot set object value to target of type slice"
Command Using: trivy fs . -d
Trivy Version:
INFO Loaded file_path=trivy.yaml
Version: 0.51.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-05-12 12:11:25.443676796 +0000 UTC
NextUpdate: 2024-05-12 18:11:25.443676515 +0000 UTC
DownloadedAt: 2024-05-12 16:46:18.464060983 +0000 UTC
Check Bundle:
Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
DownloadedAt: 2024-05-12 16:46:20.143160963 +0000 UTC
IIRC only yarn uses nohoist. Also npm docs don't contains info that workspaces can be object.
Can you reproduce the steps for npm to get package-lock.json file with workspace as map?
Thanks @DmitriyLewen to highlight that only yarn uses nohoist.
So we have removed the legacy code regarding the nohoist and now we have workspace in JSON array and trivy scan successfully.
Ref:
package.json
Discussed in #6114
Originally posted by pjungermann February 13, 2024
Description
Currently, the
workspaces
field in package.json files is only allowed to be an array of strings. However, it has also an object version.https://classic.yarnpkg.com/blog/2018/02/15/nohoist/
Example
Ref to an active open-source project using this notation:
https://github.com/backstage/backstage/blob/master/package.json#L52
Impact e.g. on Trivy scans:
Relates-to: aquasecurity/go-dep-parser#295
Desired Behavior
Parsing package.json files does not fail when workspaces object notation is used.
Actual Behavior
Parser fails and warning gets emitted:
Reproduction Steps
1. Close or create a project with workspaces object notation (e.g., https://github.com/backstage/backstage/blob/master/package.json#L52) 2. Run `trivy fs .`
Target
Filesystem
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
Operating System
MacOS Venture 13.6
Version
Checklist
trivy image --reset
The text was updated successfully, but these errors were encountered: