fix(sbom-tools): properly do relative lookups for external prod dependencies (#544)

We are currently receiving a vulnerability report for `brace-expansion` in mongosh
even though we do not include said package in our production bundle.

Tracking down this discrepancy led to this bug in our webpack dependency plugin.

Author: addaleax

packages/sbom-tools/src/production-deps.ts

@@ -73,7 +73,7 @@ export function findAllProdDepsTreeLocations(from = process.cwd()): string[] {
       ...Object.keys(optionalDependencies),
     ].forEach((dep) => {
       try {
-        const depLocation = findPackageLocation(dep, from);
+        const depLocation = findPackageLocation(dep, packageLocation);
 
         if (depLocation) {
           allLocations.add(depLocation);

packages/sbom-tools/src/webpack-dependencies-plugin.spec.ts

@@ -185,6 +185,7 @@ describe('WebpackDependenciesPlugin', function () {
         version: '0.1.0',
         dependencies: {
           pkg2: '^0.1.0',
+          pkg4: '^1.2.3',
         },
       }),
       'node_modules/pkg1/index.js': '',
@@ -206,6 +207,16 @@ describe('WebpackDependenciesPlugin', function () {
         version: '0.1.0',
       }),
       'node_modules/pkg3/index.js': '',
+      'node_modules/pkg4/package.json': JSON.stringify({
+        name: 'pkg4',
+        version: '1.2.4', // should be ignored in favor of nested one
+      }),
+      'node_modules/pkg4/index.js': '',
+      'node_modules/pkg1/node_modules/pkg4/package.json': JSON.stringify({
+        name: 'pkg4',
+        version: '1.2.5',
+      }),
+      'node_modules/pkg1/node_modules/pkg4/index.js': '',
     };
 
     const dependencies = await runPlugin(structure, {
@@ -233,6 +244,11 @@ describe('WebpackDependenciesPlugin', function () {
         name: 'pkg3',
         version: '0.1.0',
       },
+      {
+        licenseFiles: [],
+        name: 'pkg4',
+        version: '1.2.5',
+      },
     ]);
   });