bug(nodejs): package.json parser fails on object notation for workspaces #6129
Description
Ref:
- JSON schema
package.json
Discussed in #6114
Originally posted by pjungermann February 13, 2024
Description
Currently, the workspaces field in package.json files is only allowed to be an array of strings. However, it has also an object version.
https://classic.yarnpkg.com/blog/2018/02/15/nohoist/
Example
"workspaces": {
"packages": [
"packages/*",
"plugins/*"
]
},
Ref to an active open-source project using this notation:
https://github.com/backstage/backstage/blob/master/package.json#L52
Impact e.g. on Trivy scans:
WARN Unable to parse "package.json" to remove dev dependencies: unable to parse .: parse error: JSON decode error: json: cannot unmarshal object into Go struct field packageJSON.workspaces of type []string
Relates-to: aquasecurity/go-dep-parser#295
Desired Behavior
Parsing package.json files does not fail when workspaces object notation is used.
Actual Behavior
Parser fails and warning gets emitted:
WARN Unable to parse "package.json" to remove dev dependencies: unable to parse .: parse error: JSON decode error: json: cannot unmarshal object into Go struct field packageJSON.workspaces of type []string
Reproduction Steps
1. Close or create a project with workspaces object notation (e.g., https://github.com/backstage/backstage/blob/master/package.json#L52)
2. Run `trivy fs .`Target
Filesystem
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
-Operating System
MacOS Venture 13.6
Version
2024-02-13T10:23:25.765+0100 INFO Loaded trivy.yaml
Version: 0.47.0
Vulnerability DB:
Version: 2
UpdatedAt: 2024-02-13 06:11:52.656032521 +0000 UTC
NextUpdate: 2024-02-13 12:11:52.656032281 +0000 UTC
DownloadedAt: 2024-02-13 08:38:29.761065 +0000 UTC
Policy Bundle:
Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
DownloadedAt: 2023-11-24 02:43:02.401033 +0000 UTCChecklist
- Run
trivy image --reset - Read the troubleshooting