Implement a "dealias_packages" flag for npm file parsing#15070
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a dealias_packages option to FileParsers::Base so that aliased npm/yarn/pnpm packages can be parsed under their real package name (instead of being skipped). The npm_and_yarn ecosystem implements this across manifest parsing and all three lockfile parsers, and the npm_and_yarn dependency grapher opts in via the new dealias_packages! mutator so security/license scanning sees the underlying packages.
Changes:
- New
dealias_packages!flag onFileParsers::Basethat toggles a:dealias_packagesoption. - npm_and_yarn manifest, JSON lock, yarn lock, and pnpm lock parsers now emit dependencies under the real package name when the flag is set.
Dependabot::NpmAndYarn::DependencyGrapher#prepare!enables the flag for graph jobs; added fixtures and spec coverage for npm/yarn/pnpm alias scenarios.
Show a summary per file
| File | Description |
|---|---|
| common/lib/dependabot/file_parsers/base.rb | Adds shared dealias_packages! setter on options. |
| npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb | Adds dealias_packages?, manifest alias rewriting, and propagates flag to lockfile parser. |
| npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb | Threads dealias_packages into per-lockfile parsers. |
| npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb | Uses details["name"] to resolve aliased entries when flag enabled. |
| npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb | Emits real package name for name@npm:real@ver reqs when flag enabled. |
| npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb | Stops skipping aliased entries when flag enabled. |
| npm_and_yarn/lib/dependabot/npm_and_yarn/dependency_grapher.rb | Calls file_parser.dealias_packages! in prepare!. |
| npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser_spec.rb | Tests manifest/lockfile alias handling with and without flag. |
| npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser/lockfile_parser_spec.rb | Tests lockfile parser alias handling. |
| npm_and_yarn/spec/dependabot/npm_and_yarn/dependency_grapher_spec.rb | Verifies grapher resolves aliased packages for npm/yarn/pnpm. |
| npm_and_yarn/spec/fixtures/projects/grapher/{npm,yarn,pnpm}_with_alias/* | New fixture projects with aliased dependencies. |
| npm_and_yarn/spec/fixtures/projects/npm8/aliased_dependency_no_lockfile/package.json | Fixture for alias-without-lockfile parser test. |
Copilot's findings
Files not reviewed (2)
- npm_and_yarn/spec/fixtures/projects/grapher/npm_with_alias/package-lock.json: Language not supported
- npm_and_yarn/spec/fixtures/projects/grapher/pnpm_with_alias/pnpm-lock.yaml: Language not supported
- Files reviewed: 14/17 changed files
- Comments generated: 0
brrygrdn
force-pushed
the
brrygrdn/dg-11906-extract-aliased-packages
branch
from
3d4ada0 to
e81fd99
Compare
jakecoffman
reviewed
May 20, 2026
brrygrdn
force-pushed
the
brrygrdn/dg-11906-extract-aliased-packages
branch
3 times, most recently
from
235fe30 to
51efb31
Compare
jakecoffman
previously approved these changes
May 21, 2026
brrygrdn
force-pushed
the
brrygrdn/dg-11906-extract-aliased-packages
branch
from
dcc1e89 to
ae4fe08
Compare
jakecoffman
approved these changes
May 21, 2026
brrygrdn
force-pushed
the
brrygrdn/dg-11906-extract-aliased-packages
branch
from
ae4fe08 to
2a0786e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
When we are parsing files for update jobs, aliases represent something an Update doesn't have a clear strategy to handle so they are ignored.
For graphing purposes, ignoring aliases presents a risk as it means we do not notice any vulnerabilities or licences related to the package being aliased which can have implications for a project's compliance posture.
To solve this problem without modifying updater behaviour, this PR does the following:
dealias_packages!flag onFileParsersnpm_and_yarnpackage to implement behaviour when this flag is setup for npm, yarn and pnpm projectsnpm_and_yarngrapher to set thedealias_packages!flag on the FileParser layerNote: This pass is focused on ensuring we align with existing Dependency Graph behaviour, a future improvement would be to extract the alias name as metadata, but we'd need wiring to use it so I'm not addressing this for now.
Anything you want to highlight for special attention from reviewers?
For now, this behaviour is unique to npm but I plan to backport it to
go_modulesto ensure we apply this dealiasing strategy consistently, modulo some ecosystem corners.How will you know you've accomplished your goal?
When I process an npm package that uses an alias statement, the snapshot correctly identifies the underlying 'real' package instead of omitting it entirely.
Checklist