mirror of
https://github.com/safedep/vet.git
synced 2026-05-02 05:08:54 -05:00
1e6df77e16
* fix(lfp): don't flag npm aliased deps as lockfile poisoning
npm aliased dependencies ("foo": "npm:bar@1.2.3") install `bar` under
node_modules/foo and record the real package name in the lockfile's
`name` field. The analyzer was comparing the resolved URL against the
path-derived name, so legitimate aliased entries — e.g. @openai/codex
installed as @openai/codex-darwin-arm64 — were reported as poisoning.
Parse `name` and use it for the URL convention check when present;
fall back to the path-derived name otherwise.
* docs(lfp): add lockfile poisoning doc with npm alias limitation
Revert the insecure Name field fix and document npm aliased
dependencies as a known limitation with a workaround using
--lockfile-poisoning-trusted-urls.
* update flag
* fix: Disable on-demand malicious package scanning e2e tests
---------
Co-authored-by: Abhisek Datta <abhisek.datta@gmail.com>