GitHub

PLEASE READ THE FOLLOWING WHOLE DESCRIPTION FIRST

caused by https://owasp.slack.com/archives/C6R3R32H4/p1667674523556749
caused by CycloneDX/cyclonedx-node-npm#233

NodeJS's module system is file-system based. It works regardless of package dependencies,
When code in module "foo" tries to use/require/access code from a different module "bar", then node will look in "foo";s own/direct "node_module" folder (depth 1). if it did not find any "bar" there, then node traverses all folders upwards and does the same lookup there, until it finds any "bar".

Lets see the following simple file trees

my-app 
|- node_modules
   |- foo
   |- bar

my-app 
|- node_modules
   |- foo
      |- node_modules
         |- bar

my-app 
|- node_modules
   |- bar
      |- node_modules
         |- foo

what about a situation where "bar" is installed multiple times?

my-app 
|- node_modules
   |- bar
   |- foo
      |- node_modules
         |- bar

This is the problem to be solved: how can this "bar" be de-duplicated in the SBOM?
is it possible at all? lets discuss and evaluate via CycloneDX/cyclonedx-node-npm#307

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

after-the-fact component deduplication

feat: artificial package deduplication

FEAT: component de-duplication

DOCS: describe how component de-duplication works

after-the-fact component deduplication

List view

feat: artificial package deduplication

FEAT: component de-duplication

DOCS: describe how component de-duplication works