node: Represent workspace submodules as Projects #9247
Merged
Commits on Oct 8, 2024
-
refactor(npm): Reduce the amount of
filterTo()sKeep `searchDirs` as a `Sequence`. Signed-off-by: Frank Viernau <[email protected]>
-
refactor(node): Use
Set<File>as the type for submodule directoriesThere can be no duplicate files in the same file system location. A `Set` better reflects those semantics. Signed-off-by: Frank Viernau <[email protected]>
-
refactor(npm): Use named arguments in a constructor call
Reduce the diff of an upcoming change. Signed-off-by: Frank Viernau <[email protected]>
-
chore(npm): Move a TODO comment above the function signature
Remove the need to worry about a good location within the function in upcoming changes of the function. Signed-off-by: Frank Viernau <[email protected]>
-
refactor(npm): Replace two
!!withcheckNotNull()Prepare for a following change. Signed-off-by: Frank Viernau <[email protected]>
-
fix(node): Represent workspace submodules as Projects
Previously, the submodules of any `Yarn` or `Pnpm` workspaces were represented as packages. This was inconsistent, because ORT normally represents any definition files found in the analyzed sources as a `Project`, not as a `Package`. Besides being inconsistent, the `Package` representation renders the `ort.yml` features unusable. For example, workspace submodules could not be excluded via path excludes. Furthermore, the previous implementation represented the workspace root project (in case of Pnpm) as both, as a `Package` and as a `Project`. Finally, the previous Package representation of a submodule did not have any reference from any project scope. As a consequnce, any (license) policy rules which operates only on non-excluded dependencies would have disregarded the submodules and their transitive dependencies, potentially leading to an incorrect underreporting of rule violations. Extend the `NpmModuleInfo` class by the flag `isProject` and make use of it in the `NpmDependencyHandler` for creating the packages and determining the linkage type. This change guarantees that `parsePackage()` is no more called for `Project`s, but only for `Package`s which is why the project-specific logic is dropped from `parsePackage()`. For projects the dedicated `parseProjects()` is now consistently used instead. As in the new representation there are no more unreferenced packages, the dependency handler does take care of creating all packages. So, the logic which calls `graph.addPackage()` for each module returned by `parseInstalledModules()` became unnecessary and is dropped. Note: This commit fixes multiple things at once, because it seemed too complicated to fix each issue separately due to various chicken-egg like problems. Fixes #9196, fixes #8940. Signed-off-by: Frank Viernau <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.