File tree 1 file changed +6
-4
lines changed
1 file changed +6
-4
lines changed Original file line number Diff line number Diff line change @@ -113,15 +113,17 @@ func (ds *DependencySubgraph) IsDevOnly(groups map[manifest.RequirementKey][]str
113113 if e .Type .HasAttr (dep .Dev ) {
114114 continue
115115 }
116- if e .To == ds .Dependency {
117- return false
118- }
119116 // As a workaround for npm workspaces, check for the a Dev attr in the direct dependency's dependencies.
120117 for _ , e2 := range ds .Nodes [e .To ].Children {
121118 if ! e2 .Type .HasAttr (dep .Dev ) {
122119 return false
123120 }
124121 }
122+ // If the vulnerable dependency is a direct dependency, it'd have no Children.
123+ // Since we've already checked that it doesn't have the Dev attr, it must be a non-dev dependency.
124+ if e .To == ds .Dependency {
125+ return false
126+ }
125127 }
126128
127129 return true
@@ -140,7 +142,7 @@ func (ds *DependencySubgraph) IsDevOnly(groups map[manifest.RequirementKey][]str
140142// If the vuln affecting C is fixed in version 2.0, the constraining subgraph would only contain A,
141143// since B would allow versions >=2.0 of C to be selected if not for A.
142144//
143- // This is a heuristic approach and may produce false positives.
145+ // This is a heuristic approach and may produce false positives (meaning possibly unnecessary dependencies would be flagged to be relaxed) .
144146// If the constraining subgraph cannot be computed for some reason, returns the original DependencySubgraph.
145147func (ds * DependencySubgraph ) ConstrainingSubgraph (ctx context.Context , cl resolve.Client , vuln * models.Vulnerability ) * DependencySubgraph {
146148 // Just check if the direct requirement of the vulnerable package is constraining it.
You can’t perform that action at this time.
0 commit comments