From 0b8cf02897ebf763f64d3c6909029522b77f17b1 Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Thu, 12 Jun 2025 18:03:11 +0200
Subject: [PATCH] fix(sbom-tools): properly do relative lookups for external
 prod dependencies

We are currently receiving a vulnerability report for `brace-expansion` in mongosh
even though we do not include said package in our production bundle.

Tracking down this discrepancy led to this bug in our webpack dependency plugin.
---
 packages/sbom-tools/src/production-deps.ts       |  2 +-
 .../src/webpack-dependencies-plugin.spec.ts      | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/packages/sbom-tools/src/production-deps.ts b/packages/sbom-tools/src/production-deps.ts
index 7b337aa9..2ccd0713 100644
--- a/packages/sbom-tools/src/production-deps.ts
+++ b/packages/sbom-tools/src/production-deps.ts
@@ -73,7 +73,7 @@ export function findAllProdDepsTreeLocations(from = process.cwd()): string[] {
       ...Object.keys(optionalDependencies),
     ].forEach((dep) => {
       try {
-        const depLocation = findPackageLocation(dep, from);
+        const depLocation = findPackageLocation(dep, packageLocation);
 
         if (depLocation) {
           allLocations.add(depLocation);
diff --git a/packages/sbom-tools/src/webpack-dependencies-plugin.spec.ts b/packages/sbom-tools/src/webpack-dependencies-plugin.spec.ts
index d66734bf..f35b618f 100644
--- a/packages/sbom-tools/src/webpack-dependencies-plugin.spec.ts
+++ b/packages/sbom-tools/src/webpack-dependencies-plugin.spec.ts
@@ -185,6 +185,7 @@ describe('WebpackDependenciesPlugin', function () {
         version: '0.1.0',
         dependencies: {
           pkg2: '^0.1.0',
+          pkg4: '^1.2.3',
         },
       }),
       'node_modules/pkg1/index.js': '',
@@ -206,6 +207,16 @@ describe('WebpackDependenciesPlugin', function () {
         version: '0.1.0',
       }),
       'node_modules/pkg3/index.js': '',
+      'node_modules/pkg4/package.json': JSON.stringify({
+        name: 'pkg4',
+        version: '1.2.4', // should be ignored in favor of nested one
+      }),
+      'node_modules/pkg4/index.js': '',
+      'node_modules/pkg1/node_modules/pkg4/package.json': JSON.stringify({
+        name: 'pkg4',
+        version: '1.2.5',
+      }),
+      'node_modules/pkg1/node_modules/pkg4/index.js': '',
     };
 
     const dependencies = await runPlugin(structure, {
@@ -233,6 +244,11 @@ describe('WebpackDependenciesPlugin', function () {
         name: 'pkg3',
         version: '0.1.0',
       },
+      {
+        licenseFiles: [],
+        name: 'pkg4',
+        version: '1.2.5',
+      },
     ]);
   });