You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Snyk has created this PR to upgrade snyk-nodejs-lockfile-parser from 2.2.2 to 2.2.3.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 1 version ahead of your current version.
parker-snyk
changed the title
[Snyk] Upgrade snyk-nodejs-lockfile-parser from 2.2.2 to 2.2.3
fix: upgrade snyk-nodejs-lockfile-parser from 2.2.2 to 2.2.3
Oct 27, 2025
The dependency snyk-nodejs-lockfile-parser was updated to ^2.2.3 in package.json, but the corresponding package-lock.json changes are missing from the PR diff. This will likely cause npm ci to fail because the locked version (presumably 2.2.2) will not satisfy the new semantic version range >=2.2.3. Please ensure the updated lockfile is committed.
"snyk-nodejs-lockfile-parser": "^2.2.3",
📚 Repository Context Analyzed
This review considered 12 relevant code sections from 2 files (average relevance: 0.87)
The function stripUndefinedLabels has been changed to perform a full recursive tree conversion (convertPkgTreeToDepTree) rather than just stripping labels. The name is now misleading regarding both its behavior and its performance characteristics (O(N) traversal). Consider renaming it to something like adaptPkgTreeToDepTree or convertParserResultToDepTree to accurately reflect its new purpose.
The functions convertDependencies and convertLabels use any for their input arguments (dependencies and labels). Since snyk-nodejs-lockfile-parser provides typed interfaces (like PkgTree used in convertPkgTreeToDepTree), consider utilizing those specific types (e.g., PkgTree['dependencies'] or similar) to ensure type safety and catch potential upstream structure changes.
The function stripUndefinedLabels has been updated to call convertPkgTreeToDepTree, which performs a full recursive conversion and deep copy of the dependency tree. The function name implies a shallow operation (stripping labels) but now executes a potentially expensive O(N) tree traversal. Consider renaming it to something like normalizePkgTree or removing it in favor of calling convertPkgTreeToDepTree directly to accurately reflect its behavior.
The convertDependencies and convertLabels functions utilize explicit any types for their input parameters (dependencies and labels). To maintain type safety and avoid potential runtime errors with unexpected data structures, consider using the specific types exported by snyk-nodejs-lockfile-parser (e.g., PkgTree['dependencies'] or PkgTree['labels']) instead of any.
[depName: string]: any;}): {[depName: string]: DepTreeDep}|undefined{if(!dependencies){returnundefined;}constconvertedDeps: {[depName: string]: DepTreeDep}={};for(const[depName,dep]ofObject.entries(dependencies)){convertedDeps[depName]={name: dep.name,version: dep.version,dependencies: convertDependencies(dep.dependencies),labels: convertLabels(dep.labels),};}returnconvertedDeps;}functionstripUndefinedLabels(parserResult: lockFileParser.PkgTree): DepTree{returnconvertPkgTreeToDepTree(parserResult);}asyncfunctionbuildDepGraph(manifestFileContents: string,lockFileContents: string,lockfileVersion: NodeLockfileVersion,shouldIncludeDevDependencies: boolean,shouldBeStrictForManifestAndLockfileOutOfSync: boolean,): Promise<DepGraph>{switch(lockfileVersion){caseNodeLockfileVersion.YarnLockV1:
returnawaitlockFileParser.parseYarnLockV1Project(manifestFileContents,lockFileContents,{includeDevDeps: shouldIncludeDevDependencies,includeOptionalDeps: true,includePeerDeps: false,pruneLevel: "withinTopLevelDeps",strictOutOfSync: shouldBeStrictForManifestAndLockfileOutOfSync,},);caseNodeLockfileVersion.YarnLockV2:
returnawaitlockFileParser.parseYarnLockV2Project(manifestFileContents,lockFileContents,{includeDevDeps: shouldIncludeDevDependencies,includeOptionalDeps: true,pruneWithinTopLevelDeps: true,strictOutOfSync: shouldBeStrictForManifestAndLockfileOutOfSync,},);caseNodeLockfileVersion.NpmLockV2:
caseNodeLockfileVersion.NpmLockV3:
returnawaitlockFileParser.parseNpmLockV2Project(manifestFileContents,lockFileContents,{includeDevDeps: shouldIncludeDevDependencies,includeOptionalDeps: true,pruneCycles: true,strictOutOfSync: shouldBeStrictForManifestAndLockfileOutOfSync,},);caseNodeLockfileVersion.PnpmLockV5:
caseNodeLockfileVersion.PnpmLockV6:
caseNodeLockfileVersion.PnpmLockV9:
returnawaitlockFileParser.parsePnpmProject(manifestFileContents,lockFileContents,{includeDevDeps: shouldIncludeDevDependencies,includeOptionalDeps: true,includePeerDeps: false,pruneWithinTopLevelDeps: true,strictOutOfSync: shouldBeStrictForManifestAndLockfileOutOfSync,},lockfileVersion,);}thrownewError("Failed to build dep graph from current project, unknown lockfile version : "+lockfileVersion.toString()+".",);}asyncfunctionbuildDepGraphFromDepTree(manifestFileContents: string,lockFileContents: string,lockfileType: LockfileType,shouldIncludeDevDependencies: boolean,shouldBeStrictForManifestAndLockfileOutOfSync: boolean,){constparserResult=awaitlockFileParser.buildDepTree(manifestFileContents,lockFileContents,shouldIncludeDevDependencies,lockfileType,shouldBeStrictForManifestAndLockfileOutOfSync,// Don't provide a default manifest file name, prefer the parser to infer it.);conststrippedLabelsParserResult=stripUndefinedLabels(parserResult);returnawaitlegacy.depTreeToGraph(strippedLabelsParserResult,lockfileType);}exportfunctionconvertPkgTreeToDepTree(pkgTree: lockFileParser.PkgTree,): DepTree{return{name: pkgTree.name,version: pkgTree.version,dependencies: convertDependencies(pkgTree.dependencies),labels: convertLabels(pkgTree.labels),type: pkgTree.type,packageFormatVersion: pkgTree.packageFormatVersion,};}exportfunctionconvertLabels(labels?: any,
📚 Repository Context Analyzed
This review considered 16 relevant code sections from 5 files (average relevance: 0.91)
The normalizeDependencies function uses recursion to traverse the dependency tree. While snyk-nodejs-lockfile-parser typically produces trees, if the input pkgTree (which can also come from resolveDeps reading node_modules) contains circular references (e.g. via symlinks not handled by the parser/resolver), this could lead to a stack overflow. Ensure that the input trees are guaranteed to be acyclic, or consider adding a visited set to the normalization logic.
In normalizeDependencies, the dependencies parameter and return type use any ({ [depName: string]: any }). Since lockFileParser.PkgTree is available (imported and used elsewhere), consider using the specific type for dependencies (e.g., lockFileParser.Dependencies) to improve type safety and clarity regarding what properties are expected on the dependency objects.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
parker-snyk
changed the title
sathvi-k
force-pushed
the
snyk-upgrade-421a2c2aac77d5b7fe2495ce62c2a570
branch
from
Snyk has created this PR to upgrade snyk-nodejs-lockfile-parser from 2.2.2 to 2.2.3.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 1 version ahead of your current version.
The recommended version was released 21 days ago.
Release notes
Package name: snyk-nodejs-lockfile-parser
-
2.2.3 - 2025-10-03
- aliases in dpgrph names instd of mutating lockfiles (7e9c94a)
- lodash import issue (350bfa9)
-
2.2.2 - 2025-07-07
- handle direct dep alias references in transitive deps - npm and yarn (00dc971)
from snyk-nodejs-lockfile-parser GitHub release notes2.2.3 (2025-10-03)
Bug Fixes
2.2.2 (2025-07-07)
Bug Fixes
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: