fix: ignore dependencies in virtualenv #9

dtrunley-snyk · 2021-02-07T20:40:19Z

Tests written and linted
Documentation written / README.md updated https://snyk.io/docs/snyk-for-node/
Follows CONTRIBUTING agreement
Commit history is tidy https://git-scm.com/book/en/v2/Git-Branching-Rebasing
Reviewed by Snyk team

What this does

Poetry uses the virtualenv to create an environment and this comes with these packages pre-installed, therefore they won't be listed in the lockfile as a dependency but it won't have its own metadata entry within the lockfile. This change prevents us trying to traverse the lockfile for those specific dependencies.
See: python-poetry/poetry#3075 (comment)

Also features a small refactor that better isolates the method to be able to test via unit tests rather than having to add a fixture for each scenario / writing custom manifest and lockfiles to mimic the scenario in a "unit" test, so it should make subsequent changes easier to test with less code. The refactor looks larger than it is as it involves the bulk of index being moved to a new file.

More information

LOKI-174

lib/poetry-dep-graph-builder.ts

admons · 2021-02-08T10:24:55Z

lib/poetry-dep-graph-builder.ts

+  pkgName: string,
+  pkgSpecs: PoetryLockFileDependency[],
+): PoetryLockFileDependency {
+  const pkgLockInfo = pkgSpecs.find((lockItem) => {


const pkgLockInfo = pkgSpecs.find((lockItem) => lockItem.name.toLowerCase() === pkgName.toLowerCase() );

Just to clarify, you mean to remove the return?

lib/poetry-dep-graph-builder.ts

admons

Please see my comments

admons · 2021-02-09T04:05:13Z

Looking great!

snyksec · 2021-02-10T12:24:10Z

🎉 This PR is included in version 1.1.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

refactor: isolate and export functionality for easier testing

010595a

dtrunley-snyk requested a review from admons February 7, 2021 20:40