Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Track when a package or dependency is private #3102

Closed
pombredanne opened this issue Sep 12, 2022 · 6 comments
Closed

Track when a package or dependency is private #3102

pombredanne opened this issue Sep 12, 2022 · 6 comments
Assignees
@AyanSinhaMahapatra
Labels
new feature

Comments

@pombredanne
Copy link
Member

Short Description

Some local packages are "private" and never published in public repositories.
npm has a private flag for instance https://docs.npmjs.com/cli/v6/configuring-npm/package-json#private
We should have a way to track this as these never have a public URL for example.
@aadityasinha-dotcom
Copy link

Can I work on this issue?

@pombredanne
Copy link
Member Author

@aadityasinha-dotcom sorry for the late reply! No need to ask... please go for it!

keshav-space added a commit to aboutcode-org/scancode.io that referenced this issue Jun 29, 2023
@keshav-space
Drop ignore_namespace config
e74c1da 
- Insted going forward we'll be using aboutcode-org/scancode-toolkit#3102 to ignore private PURLs

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to aboutcode-org/scancode.io that referenced this issue Jun 29, 2023
@keshav-space
Drop ignore_namespace config
eef401d 
- Insted going forward we'll be using aboutcode-org/scancode-toolkit#3102 to ignore private PURLs

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to aboutcode-org/scancode.io that referenced this issue Jul 4, 2023
@keshav-space
Drop ignore_namespace config
5921fb1 
- Insted going forward we'll be using aboutcode-org/scancode-toolkit#3102 to ignore private PURLs

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to aboutcode-org/scancode.io that referenced this issue Jul 7, 2023
@keshav-space
Drop ignore_namespace config
71da4e7 
- Insted going forward we'll be using aboutcode-org/scancode-toolkit#3102 to ignore private PURLs

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to aboutcode-org/scancode.io that referenced this issue Jul 20, 2023
@keshav-space
Drop ignore_namespace config
68370a2 
- Insted going forward we'll be using aboutcode-org/scancode-toolkit#3102 to ignore private PURLs

Signed-off-by: Keshav Priyadarshi <[email protected]>
@pombredanne
Copy link
Member Author

Here is an odd npm https://registry.npmjs.org/@restart/ui/-/ui-1.0.1.tgz that contains many private package.json
This was compiled from tsx file ( https://github.com/react-restart/ui/blob/main/src/Anchor.tsx ) which I think are React JSX files but in TypeScript.

@pombredanne
Copy link
Member Author

Carried over from dupe #3524

Handle "multiple personality" packages and private npm correctly

When I scan this: https://files.pythonhosted.org/packages/20/ea/b0969834e5d79365731303be8b82423e6b1c293aa92c28335532ab542f83/Django-4.2.5.tar.gz which is an obvious Pypi package, I can see that Django has a package.json at the root, but this is a "private" package:

{
  "name": "Django",
  "private": true,
  "scripts": {
    "pretest": "eslint .",
    "test": "grunt test --verbose"
  },
  "engines": {
    "npm": ">=1.3.0"
  },
  "devDependencies": {
    "eslint": "^8.36.0",
    "puppeteer": "^19.8.2",
    "grunt": "^1.6.1",
    "grunt-cli": "^1.4.3",
    "grunt-contrib-qunit": "^7.0.0",
    "qunit": "^2.19.4"
  }
}

This ends up being confusing downstream in particular in SCIO.

  1. we should find a way to track private packages with a flag. These are common and they also include various lockfile-only unnamed packages foudn when you just build an app and just need dependencies, and are not creating packages. These never have URLs and so on.

  2. we need to better handle packages with multiple personalities as there are cases when one personality primes over the other. Secondary package manifest may be there only as a build convenience.

@pombredanne pombredanne mentioned this issue Nov 8, 2023
Closed
@pombredanne
Copy link
Member Author

Here is some reference info wrt. Pypi

@pombredanne
Copy link
Member Author

Some npm examples:

AyanSinhaMahapatra added a commit that referenced this issue May 30, 2024
@AyanSinhaMahapatra
Add attribute to track private packages #3102
1869154 
Reference: #3102
Reference: #1514
Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
AyanSinhaMahapatra added a commit that referenced this issue May 30, 2024
@AyanSinhaMahapatra
Add attribute to track private packages #3102
b9eb01d 
Reference: #3102
Reference: #1514
Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
AyanSinhaMahapatra added a commit that referenced this issue Jun 4, 2024
@AyanSinhaMahapatra
Add attribute to track private packages #3102
f848741 
Reference: #3102
Reference: #1514
Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
@pombredanne pombredanne mentioned this issue Jun 10, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AyanSinhaMahapatra AyanSinhaMahapatra

Labels
new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pombredanne @AyanSinhaMahapatra @aadityasinha-dotcom