From 72f765cf0a28f16ce03ce15dba677930dac8759c Mon Sep 17 00:00:00 2001 From: Ayush7614 Date: Fri, 5 Jun 2026 16:01:05 +0530 Subject: [PATCH] Add pnpm-aliased-chain regression fixture for Discussion #528 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Minimal pnpm v9 lockfile reproducing the formisch/vm2 alias bug: deep transitive vm2@3.9.19 through @remix-run/dev → @vercel/remix-run-dev. Path resolution must keep the real package name and suggest pnpm add vercel. --- examples/pnpm-aliased-chain/package.json | 10 +++++++ examples/pnpm-aliased-chain/pnpm-lock.yaml | 31 ++++++++++++++++++++++ examples/readme.md | 4 +++ 3 files changed, 45 insertions(+) create mode 100644 examples/pnpm-aliased-chain/package.json create mode 100644 examples/pnpm-aliased-chain/pnpm-lock.yaml diff --git a/examples/pnpm-aliased-chain/package.json b/examples/pnpm-aliased-chain/package.json new file mode 100644 index 0000000..3795518 --- /dev/null +++ b/examples/pnpm-aliased-chain/package.json @@ -0,0 +1,10 @@ +{ + "name": "cve-lite-example-pnpm-aliased-chain", + "version": "1.0.0", + "private": true, + "description": "pnpm v9 regression fixture: deep transitive chain through an aliased intermediate (@remix-run/dev → @vercel/remix-run-dev) — path resolution and parent upgrade must stay correct.", + "license": "MIT", + "dependencies": { + "vercel": "32.0.0" + } +} diff --git a/examples/pnpm-aliased-chain/pnpm-lock.yaml b/examples/pnpm-aliased-chain/pnpm-lock.yaml new file mode 100644 index 0000000..de0190b --- /dev/null +++ b/examples/pnpm-aliased-chain/pnpm-lock.yaml @@ -0,0 +1,31 @@ +lockfileVersion: '9.0' + +importers: + .: + dependencies: + vercel: + specifier: 32.0.0 + version: 32.0.0 + +packages: + vercel@32.0.0: + resolution: {integrity: sha512-placeholder} + engines: {node: '>= 16'} + '@vercel/remix-builder@2.0.0': + resolution: {integrity: sha512-placeholder} + '@vercel/remix-run-dev@1.16.1': + resolution: {integrity: sha512-placeholder} + vm2@3.9.19: + resolution: {integrity: sha512-placeholder} + +snapshots: + vercel@32.0.0: + dependencies: + '@vercel/remix-builder': 2.0.0 + '@vercel/remix-builder@2.0.0': + dependencies: + '@remix-run/dev': '@vercel/remix-run-dev@1.16.1' + '@vercel/remix-run-dev@1.16.1': + dependencies: + vm2: 3.9.19 + vm2@3.9.19: {} diff --git a/examples/readme.md b/examples/readme.md index ca9ec18..af350a7 100644 --- a/examples/readme.md +++ b/examples/readme.md @@ -21,7 +21,9 @@ Small curated projects committed to the repository. Clone the repo and scan imme | `bun-simple` | Bun | Minimal Bun lockfile with a direct and transitive vulnerability. | | `bun-workspace` | Bun (workspace) | Bun workspace monorepo with workspace-scoped fix commands. | | `pnpm-simple` | pnpm | Minimal pnpm v9 lockfile with a single direct vulnerability. | +| `pnpm-aliased-chain` | pnpm | Deep transitive chain through a pnpm v9 aliased intermediate — path resolution must use the real package name. | | `pnpm-workspace` | pnpm (workspace) | pnpm workspace monorepo with workspace-scoped fix commands. | +| `wrong-parent` | npm | 3-level transitive chain where the immediate parent's range already covers the fix — expects `npm update js-cookie`, not a parent bump. | | `no-findings` | npm | Clean project with no known vulnerabilities — demonstrates success output. | | `lima-site` | npm | Dev-dependency scanning in a documentation site. | @@ -143,7 +145,9 @@ node dist/index.js examples/yarn-classic --verbose node dist/index.js examples/bun-simple --verbose node dist/index.js examples/bun-workspace --verbose node dist/index.js examples/pnpm-simple --verbose +node dist/index.js examples/pnpm-aliased-chain --verbose node dist/index.js examples/pnpm-workspace --verbose +node dist/index.js examples/wrong-parent --verbose node dist/index.js examples/no-findings node dist/index.js examples/lima-site --verbose