Describe the bug
While trying to get some clarity on the dependencymerging concurrency issue I spotted strange behaviour with respect to conflicting dependency-versions. The conflicting versions appear to be mitigated by npm by installing the conflicting version as a child-module of the module requiring it, but DependencyCheck is failing to properly account for it.
Version of dependency-check used
The problem occurs using version 8.1.0 of the gradle plugin (likely others as well)
To Reproduce
Steps to reproduce the behavior:
- Create a gradle project with a package.json containing
{
"name": "app1",
"version": "1.0.0",
"dependencies": {
"@angular/core": "^15.1.5",
"rxjs": "^6.6.7",
"zone.js": "^0.11.8"
}
}
- Run npm install on the project (
gradle npmInstall)
- Observe that
@angular/core pulled in tslib version 2.5.0 which gets installed as a child of the root node_modules and rxjs pulled in tslib version 1.14.1, which gets installed as a child of node_modules/rxjs/node_modules
- Run DependencyCheck on the project (
gradle dependencyCheckAnalyze)
- Open the report and scroll down to the tslib 1.14.1 entry. Observe that
File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is nowhere to be found in the related dependencies of this entry
- Scroll to the tslib 2.5.0 entry and observe that
File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is found in the entries despite the fact that version 2.5.0 does not satisfy the version-range constraint (^1.9.0) of the dependency.
Expected behavior
File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is accounted for in the relatedDependencies of tslib 1.14.1
Additional context
npm version 8.19.3
node version 16.18.1
gradle version 7.6
Describe the bug
While trying to get some clarity on the dependencymerging concurrency issue I spotted strange behaviour with respect to conflicting dependency-versions. The conflicting versions appear to be mitigated by npm by installing the conflicting version as a child-module of the module requiring it, but DependencyCheck is failing to properly account for it.
Version of dependency-check used
The problem occurs using version 8.1.0 of the gradle plugin (likely others as well)
To Reproduce
Steps to reproduce the behavior:
{ "name": "app1", "version": "1.0.0", "dependencies": { "@angular/core": "^15.1.5", "rxjs": "^6.6.7", "zone.js": "^0.11.8" } }gradle npmInstall)@angular/corepulled in tslib version 2.5.0 which gets installed as a child of the rootnode_modulesandrxjspulled in tslib version 1.14.1, which gets installed as a child ofnode_modules/rxjs/node_modulesgradle dependencyCheckAnalyze)File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0is nowhere to be found in the related dependencies of this entryFile Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0is found in the entries despite the fact that version 2.5.0 does not satisfy the version-range constraint (^1.9.0) of the dependency.Expected behavior
File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0is accounted for in the relatedDependencies of tslib 1.14.1Additional context
npm version 8.19.3
node version 16.18.1
gradle version 7.6