Skip to content

Bug: Incomplete JavaScript/NPM Dependency Resolution #39

Open
#47
Open
Bug: Incomplete JavaScript/NPM Dependency Resolution#39
#47
@Jaydeep869

Description

@Jaydeep869
Jaydeep869
opened on Apr 21, 2026

Description

JavaScriptResolver in pkg/resolver/javascript.go appears biased toward pnpm path layouts (via pnpmPathRe) and does not fully resolve dependencies for standard npm/yarn flattened node_modules layouts.

Steps to Reproduce

  1. Use a project that installs dependencies using npm or yarn classic.
  2. Run sbomit on that project.
  3. Compare expected packages in node_modules/<package> to resolved output.

Expected Behavior

Resolver supports pnpm, npm, and yarn topologies and resolves dependencies from standard node_modules/<package> paths.

Actual Behavior

Dependencies in non-pnpm layouts are missed or incompletely resolved.

Environment

  • sbomit version: current main branch
  • Go version: any supported version
  • OS: Linux/macOS/Windows

Additional Context

  • Area: pkg/resolver/javascript.go
  • Suggested fix:
    • Expand regex matching to include standard npm/yarn paths.
    • Update resolution logic to normalize package paths across pnpm and non-pnpm structures.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions