Skip to content

fix: use commit query for npm packages resolved from git URLs#2863

Open
johnsaurabh wants to merge 2 commits into
google:mainfrom
johnsaurabh:fix/yarn-git-dep-npm-ecosystem-query
Open

fix: use commit query for npm packages resolved from git URLs#2863
johnsaurabh wants to merge 2 commits into
google:mainfrom
johnsaurabh:fix/yarn-git-dep-npm-ecosystem-query

Conversation

@johnsaurabh
Copy link
Copy Markdown

@johnsaurabh johnsaurabh commented Jun 3, 2026

Overview

Fixes #2850

pkgToQuery queried OSV.dev by npm ecosystem+name for all npm-ecosystem packages, including those resolved from git URLs in yarn.lock. These packages were never published to the npm registry, so the query returns false positives from unrelated packages that share the same name on npm.

Details

The yarnlock extractor already populates SourceCode.Commit for git-pinned dependencies via commitextractor.TryExtractCommit. When a commit hash is present for an npm-ecosystem package, pkgToQuery now returns a commit query instead of an ecosystem query.

```go
if imodels.Commit(pkg) != "" && imodels.Ecosystem(pkg).Ecosystem == osvconstants.EcosystemNPM {
return &api.Query{
Param: &api.Query_Commit{
Commit: imodels.Commit(pkg),
},
}
}
```

The gate is specific to npm. Other ecosystems are unaffected.

Testing

  • Added `TestPkgToQuery` with two cases: a regular npm package (uses ecosystem query) and a git-pinned npm package (uses commit query).
  • Tested against the `closure-net` entry from the issue. Without the fix it reports `MAL-2026-276` as a false positive. With the fix, no vulnerabilities are reported.
  • All existing tests pass.

Checklist

  • I have signed the Contributor License Agreement.
  • I have run the linter using `./scripts/run_lints.sh`.
  • I have run the unit tests using `./scripts/run_tests.sh`.
  • I have made my commits and PR title follow the Conventional Commits specification.

@johnsaurabh
fix: use commit query for npm packages resolved from git URLs
8107f5b 
Packages from yarn.lock that are pinned to a git URL (e.g.
resolved via git+https://) carry ecosystem=npm because that
reflects the file they were found in, but they were never
published to the npm registry. Querying OSV.dev by npm
ecosystem+name produces false positive matches against
unrelated packages that happen to share the same name on npm.

The yarnlock extractor already populates SourceCode.Commit for
these dependencies via commitextractor.TryExtractCommit. When
a commit hash is present for an npm-ecosystem package, use a
commit query instead so the lookup is scoped to the actual
upstream git commit.

Fixes google#2850
@johnsaurabh
test: add unit tests for pkgToQuery git-pinned npm behaviour
0bcc3ab 
Verify that regular npm packages continue to use ecosystem
queries, and that npm packages with a populated commit hash
(git-pinned via yarn.lock) use a commit query instead.
@johnsaurabh johnsaurabh mentioned this pull request Jun 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

npm finding for git package on yarn.lock - false positive?

1 participant

@johnsaurabh