Transitive dependency of components in subfolder get detected as components in root.

[alimohamad]

Hello,

Experiencing this interesting bug where given a directory with the following hierarchy:

|-root/
|----package.json
|----package-lock.json
|----src/
|----child/
|--------package.json
|--------package-lock.json
|--------src/

(i.e., a root directory with components managed by a package.json, and a subfolder with its own set of components managed in a separate package.json)

In the event that a vulnerable transitive dependency (let's say, package x) appears in a component in the child directory's set (let's call the parent component A), the component detector seems to group A with all other packages in root that also contain vulnerable transitive dependency x in the bcde-output.json file, with no regard for this difference in directory hierarchy.

Is it possible for this differentiation to be made between levels on component detection? Happy to offer additional context (sorry for the lack of screenshots / examples, this issue is happening in the component detector being leveraged in an internal MSFT tool.)

[melotic]

Thanks for the report. Could you open your package-lock.json files and check if lockfileVersion is 3?

My hunch is that because we don't yet support that lockfile version just yet (see #476), they get picked up by our NpmDetector, which just scans package.json files, without root information, and that may be bunching them together under root.

[alimohamad]

The lockFileVersion in both is 2.

[JamieMagee]

@alimohamad can you provide a sample package-lock.json.

[JamieMagee]

Closing as expected, based on the discussion in #607