npmsource

package

v0.4.3 Latest Latest Go to latest Published: Feb 9, 2026 License: Apache-2.0, BSD-3-Clause, MIT Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/google/osv-scalibr

Links

Documentation ¶

Overview ¶

Package npmsource implements an annotator for packages to determine where they were installed from. This is used to determine if NPM package is a locally-published package or not to identify package name collisions on the NPM registry.

Index ¶

Constants
func MapNPMProjectRootsToPackages(packages []*extractor.Package) map[string][]*extractor.Package
func NPMPackageSource(resolved string) metadata.NPMPackageSource
func New(_ *cpb.PluginConfig) (annotator.Annotator, error)
func ResolvedFromLockfile(root string, fsys scalibrfs.FS) (map[string]metadata.NPMPackageSource, error)
type Annotator

Constants ¶

View Source

const (
	// Name of the Annotator.
	Name = "misc/npm-source"
)

Variables ¶

This section is empty.

Functions ¶

func MapNPMProjectRootsToPackages ¶

func MapNPMProjectRootsToPackages(packages []*extractor.Package) map[string][]*extractor.Package

MapNPMProjectRootsToPackages maps the root-level directories to packages where they were installed from. Note that only NPM packages from root/node_modules/../package.json are considered. For example, if package @foo/bar was installed from root/node_modules/foo/bar/package.json, then the map will contain root as the key and package @foo/bar as the value.

func NPMPackageSource ¶

func NPMPackageSource(resolved string) metadata.NPMPackageSource

NPMPackageSource returns the source of the NPM package based on the resolved field in the lockfile.

func New ¶

func New(_ *cpb.PluginConfig) (annotator.Annotator, error)

New returns a new Annotator.

func ResolvedFromLockfile ¶

func ResolvedFromLockfile(root string, fsys scalibrfs.FS) (map[string]metadata.NPMPackageSource, error)

ResolvedFromLockfile looks for lockfiles in the given root directory and returns a map of package names in the lockfile and the source of the package. If no lockfile is found, it returns an error. The first non-empty lockfile it finds per the priority list gets parsed and returned. For example, when given /tmp as root, it will look through the following lockfiles in this order: 1. /tmp/npm-shrinkwrap.json 2. /tmp/package-lock.json 3. /tmp/node_modules/.package-lock.json

Types ¶

type Annotator ¶

type Annotator struct{}

Annotator adds annotations to NPM packages that are installed from the NPM repositories. This is used to determine if NPM package is a locally-published package or not to identify package name collisions on the NPM registry.

func (*Annotator) Annotate ¶

func (a *Annotator) Annotate(ctx context.Context, input *annotator.ScanInput, results *inventory.Inventory) error

Annotate adds annotations to NPM packages from /node_modules/../package.json that are installed from the NPM repositories.

func (Annotator) Name ¶

func (Annotator) Name() string

Name of the annotator.

func (Annotator) Requirements ¶

func (Annotator) Requirements() *plugin.Capabilities

Requirements of the annotator.

func (Annotator) Version ¶

func (Annotator) Version() int

Version of the annotator.

Source Files ¶

View all Source files

npmsource.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL