Skip to content

Bug: Incomplete JavaScript/NPM Dependency Resolution #39

Open
#47
Open
Bug: Incomplete JavaScript/NPM Dependency Resolution#39
#47
@Jaydeep869

Description

@Jaydeep869
Jaydeep869
opened on Apr 21, 2026

Description

JavaScriptResolver in pkg/resolver/javascript.go appears biased toward pnpm path layouts (via pnpmPathRe) and does not fully resolve dependencies for standard npm/yarn flattened node_modules layouts.

Steps to Reproduce

  1. Use a project that installs dependencies using npm or yarn classic.
  2. Run sbomit on that project.
  3. Compare expected packages in node_modules/<package> to resolved output.

Expected Behavior

Resolver supports pnpm, npm, and yarn topologies and resolves dependencies from standard node_modules/<package> paths.

Actual Behavior

Dependencies in non-pnpm layouts are missed or incompletely resolved.

Environment

  • sbomit version: current main branch
  • Go version: any supported version
  • OS: Linux/macOS/Windows

Additional Context

  • Area: pkg/resolver/javascript.go
  • Suggested fix:
    • Expand regex matching to include standard npm/yarn paths.
    • Update resolution logic to normalize package paths across pnpm and non-pnpm structures.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions