Fix Npm Transitive Dependency Calculation (#1617)

RushabhBhansali · Copilot · web-flow · commit dbff730ea5e1 · 2026-01-28T16:00:26.000-08:00
* Fix depedency duplication logic. Avoid duplicate parent-dependency pairs only. * added test * circular dependency test * removed redundant file * updated detector version * Add assertions to IsDependencyOfExplicitlyReferencedComponents test calls (#1618) * Initial plan * Add assertions to IsDependencyOfExplicitlyReferencedComponents calls in circular dependency test Co-authored-by: RushabhBhansali <24465841+RushabhBhansali@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: RushabhBhansali <24465841+RushabhBhansali@users.noreply.github.com> Co-authored-by: Rushabh <rbhansali@microsoft.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: RushabhBhansali <24465841+RushabhBhansali@users.noreply.github.com>
diff --git a/src/Microsoft.ComponentDetection.Detectors/npm/NpmLockfile3Detector.cs b/src/Microsoft.ComponentDetection.Detectors/npm/NpmLockfile3Detector.cs
@@ -38,7 +38,7 @@ public NpmLockfile3Detector(IPathUtilityService pathUtilityService)
 
     public override string Id => "NpmLockfile3";
 
-    public override int Version => 2;
+    public override int Version => 3;
 
     protected override bool IsSupportedLockfileVersion(int lockfileVersion) => lockfileVersion == 3;
 
@@ -91,7 +91,11 @@ protected override void ProcessLockfile(
                 continue;
             }
 
-            var previouslyAddedComponents = new HashSet<string> { component.Id };
+            // Track component-parent pairs instead of just component IDs
+            var previouslyAddedComponentParents = new HashSet<(string ComponentId, string? ParentId)>
+            {
+                (component.Id, null),
+            };
             var subQueue = new Queue<(string Path, PackageLockV3Package Package, TypedComponent Parent)>();
 
             // Record the top-level component
@@ -107,12 +111,19 @@ protected override void ProcessLockfile(
                 var subName = NpmComponentUtilities.GetModuleName(subPath);
 
                 var subComponent = this.CreateComponent(subName, subPackage.Version, subPackage.Integrity);
-                if (subComponent is null || previouslyAddedComponents.Contains(subComponent.Id))
+                if (subComponent is null)
+                {
+                    continue;
+                }
+
+                // Only skip if this exact component-parent relationship was already added
+                var componentParentPair = (subComponent.Id, parentComponent.Id);
+                if (previouslyAddedComponentParents.Contains(componentParentPair))
                 {
                     continue;
                 }
 
-                previouslyAddedComponents.Add(subComponent.Id);
+                previouslyAddedComponentParents.Add(componentParentPair);
 
                 this.RecordComponent(singleFileComponentRecorder, subComponent, subPackage.Dev ?? false, component, parentComponent.Id);
 
diff --git a/test/Microsoft.ComponentDetection.Detectors.Tests/NpmLockfile3DetectorTests.cs b/test/Microsoft.ComponentDetection.Detectors.Tests/NpmLockfile3DetectorTests.cs
@@ -369,4 +369,231 @@ public async Task TestNpmDetector_PackageLockMissingPackagesProperty_ShouldNotTh
         var detectedComponents = componentRecorder.GetDetectedComponents();
         detectedComponents.Should().BeEmpty(); // No dependencies should be detected since packages is missing
     }
+
+    [TestMethod]
+    public async Task TestNpmDetector_SameComponentWithDifferentParents_BothPathsRecordedAsync()
+    {
+        // This test verifies that if we have both a->b->c and a->c dependency paths,
+        // both relationships are recorded (c appears twice with different parents)
+        var componentA = (Name: "componentA", Version: "1.0.0");
+        var componentB = (Name: "componentB", Version: "1.0.0");
+        var componentC = (Name: "componentC", Version: "1.0.0");
+
+        var packageLockJson = @"{{
+                ""name"": ""test"",
+                ""version"": ""0.0.0"",
+                ""lockfileVersion"": 3,
+                ""requires"": true,
+                ""packages"": {{
+                    """": {{
+                        ""name"": ""test"",
+                        ""version"": ""0.0.0"",
+                        ""dependencies"": {{
+                            ""{0}"": ""{1}""
+                        }}
+                    }},
+                    ""node_modules/{0}"": {{
+                        ""version"": ""{1}"",
+                        ""resolved"": ""https://registry.npmjs.org/{0}/-/{0}-{1}.tgz"",
+                        ""integrity"": ""sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="",
+                        ""dependencies"": {{
+                            ""{2}"": ""{3}"",
+                            ""{4}"": ""{5}""
+                        }}
+                    }},
+                    ""node_modules/{2}"": {{
+                        ""version"": ""{3}"",
+                        ""resolved"": ""https://registry.npmjs.org/{2}/-/{2}-{3}.tgz"",
+                        ""integrity"": ""sha512-BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="",
+                        ""dependencies"": {{
+                            ""{4}"": ""{5}""
+                        }}
+                    }},
+                    ""node_modules/{4}"": {{
+                        ""version"": ""{5}"",
+                        ""resolved"": ""https://registry.npmjs.org/{4}/-/{4}-{5}.tgz"",
+                        ""integrity"": ""sha512-CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=""
+                    }}
+                }}
+            }}";
+
+        var packageLockTemplate = string.Format(
+            packageLockJson,
+            componentA.Name,
+            componentA.Version,
+            componentB.Name,
+            componentB.Version,
+            componentC.Name,
+            componentC.Version);
+
+        var packageJson = @"{{
+                ""name"": ""test"",
+                ""version"": ""0.0.0"",
+                ""dependencies"": {{
+                    ""{0}"": ""{1}""
+                }}
+            }}";
+
+        var packageJsonTemplate = string.Format(
+            packageJson,
+            componentA.Name,
+            componentA.Version);
+
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile(this.packageLockJsonFileName, packageLockTemplate, this.packageLockJsonSearchPatterns)
+            .WithFile(this.packageJsonFileName, packageJsonTemplate, this.packageJsonSearchPattern)
+            .ExecuteDetectorAsync();
+
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+
+        var detectedComponents = componentRecorder.GetDetectedComponents().ToList();
+        detectedComponents.Should().HaveCount(3);
+
+        // Get component IDs
+        var componentAId = detectedComponents.First(c => ((NpmComponent)c.Component).Name.Equals(componentA.Name)).Component.Id;
+        var componentBId = detectedComponents.First(c => ((NpmComponent)c.Component).Name.Equals(componentB.Name)).Component.Id;
+        var componentCId = detectedComponents.First(c => ((NpmComponent)c.Component).Name.Equals(componentC.Name)).Component.Id;
+
+        var dependencyGraph = componentRecorder.GetDependencyGraphsByLocation().Values.First();
+
+        // Verify a->b and a->c relationships exist
+        var aDependencies = dependencyGraph.GetDependenciesForComponent(componentAId);
+        aDependencies.Should().HaveCount(2);
+        aDependencies.Should().Contain(componentBId);
+        aDependencies.Should().Contain(componentCId);
+
+        // Verify b->c relationship exists
+        var bDependencies = dependencyGraph.GetDependenciesForComponent(componentBId);
+        bDependencies.Should().HaveCount(1);
+        bDependencies.Should().Contain(componentCId);
+
+        // Verify c has no dependencies
+        var cDependencies = dependencyGraph.GetDependenciesForComponent(componentCId);
+        cDependencies.Should().BeEmpty();
+
+        // Verify that c appears as a child of both a and b
+        var parentsOfC = dependencyGraph.GetAncestors(componentCId);
+        parentsOfC.Should().HaveCount(2);
+        parentsOfC.Should().Contain(componentAId);
+        parentsOfC.Should().Contain(componentBId);
+    }
+
+    [TestMethod]
+    public async Task TestNpmDetector_CircularDependency_HandledGracefullyAsync()
+    {
+        // This test verifies that circular dependencies (a->b->c->a) are handled without infinite loops
+        // NPM can have circular dependencies in rare cases with peer dependencies or symlinks
+        var componentA = (Name: "componentA", Version: "1.0.0");
+        var componentB = (Name: "componentB", Version: "1.0.0");
+        var componentC = (Name: "componentC", Version: "1.0.0");
+
+        var packageLockJson = @"{{
+                ""name"": ""test"",
+                ""version"": ""0.0.0"",
+                ""lockfileVersion"": 3,
+                ""requires"": true,
+                ""packages"": {{
+                    """": {{
+                        ""name"": ""test"",
+                        ""version"": ""0.0.0"",
+                        ""dependencies"": {{
+                            ""{0}"": ""{1}""
+                        }}
+                    }},
+                    ""node_modules/{0}"": {{
+                        ""version"": ""{1}"",
+                        ""resolved"": ""https://registry.npmjs.org/{0}/-/{0}-{1}.tgz"",
+                        ""integrity"": ""sha512-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="",
+                        ""dependencies"": {{
+                            ""{2}"": ""{3}""
+                        }}
+                    }},
+                    ""node_modules/{2}"": {{
+                        ""version"": ""{3}"",
+                        ""resolved"": ""https://registry.npmjs.org/{2}/-/{2}-{3}.tgz"",
+                        ""integrity"": ""sha512-BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="",
+                        ""dependencies"": {{
+                            ""{4}"": ""{5}""
+                        }}
+                    }},
+                    ""node_modules/{4}"": {{
+                        ""version"": ""{5}"",
+                        ""resolved"": ""https://registry.npmjs.org/{4}/-/{4}-{5}.tgz"",
+                        ""integrity"": ""sha512-CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="",
+                        ""dependencies"": {{
+                            ""{0}"": ""{1}""
+                        }}
+                    }}
+                }}
+            }}";
+
+        var packageLockTemplate = string.Format(
+            packageLockJson,
+            componentA.Name,
+            componentA.Version,
+            componentB.Name,
+            componentB.Version,
+            componentC.Name,
+            componentC.Version);
+
+        var packageJson = @"{{
+                ""name"": ""test"",
+                ""version"": ""0.0.0"",
+                ""dependencies"": {{
+                    ""{0}"": ""{1}""
+                }}
+            }}";
+
+        var packageJsonTemplate = string.Format(
+            packageJson,
+            componentA.Name,
+            componentA.Version);
+
+        var (scanResult, componentRecorder) = await this.DetectorTestUtility
+            .WithFile(this.packageLockJsonFileName, packageLockTemplate, this.packageLockJsonSearchPatterns)
+            .WithFile(this.packageJsonFileName, packageJsonTemplate, this.packageJsonSearchPattern)
+            .ExecuteDetectorAsync();
+
+        // The detector should handle circular dependencies gracefully without hanging or throwing
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+
+        var detectedComponents = componentRecorder.GetDetectedComponents().ToList();
+        detectedComponents.Should().HaveCount(3);
+
+        // Get component IDs
+        var componentAId = detectedComponents.First(c => ((NpmComponent)c.Component).Name.Equals(componentA.Name)).Component.Id;
+        var componentBId = detectedComponents.First(c => ((NpmComponent)c.Component).Name.Equals(componentB.Name)).Component.Id;
+        var componentCId = detectedComponents.First(c => ((NpmComponent)c.Component).Name.Equals(componentC.Name)).Component.Id;
+
+        var dependencyGraph = componentRecorder.GetDependencyGraphsByLocation().Values.First();
+
+        // Verify the circular dependency chain is recorded
+        // A depends on B
+        var aDependencies = dependencyGraph.GetDependenciesForComponent(componentAId);
+        aDependencies.Should().Contain(componentBId);
+
+        // B depends on C
+        var bDependencies = dependencyGraph.GetDependenciesForComponent(componentBId);
+        bDependencies.Should().Contain(componentCId);
+
+        // C depends on A (circular)
+        var cDependencies = dependencyGraph.GetDependenciesForComponent(componentCId);
+        cDependencies.Should().Contain(componentAId);
+
+        // Verify all three components are properly registered
+        componentRecorder.AssertAllExplicitlyReferencedComponents<NpmComponent>(
+            componentAId,
+            parentComponent => parentComponent.Name == componentA.Name);
+
+        // B should be a transitive dependency of A (which is explicitly referenced)
+        componentRecorder.IsDependencyOfExplicitlyReferencedComponents<NpmComponent>(
+            componentBId,
+            parentComponent => parentComponent.Name == componentA.Name).Should().BeTrue();
+
+        // C should also be a transitive dependency of A (reachable via A->B->C)
+        // Even with the circular dependency C->A, C is still reachable from the explicitly referenced A
+        componentRecorder.IsDependencyOfExplicitlyReferencedComponents<NpmComponent>(
+            componentCId,
+            parentComponent => parentComponent.Name == componentA.Name).Should().BeTrue();
+    }
 }
