after-the-fact component deduplication
PLEASE READ THE FOLLOWING WHOLE DESCRIPTION FIRST
caused by https://owasp.slack.com/archives/C6R3R32H4/p1667674523556749
caused by #233
NodeJS's module system is file-system based. It works regardless of package dependencies,
When code in module "foo" tries to use/require/access code from a different module "bar", then node will look in "foo";s own/dire…
PLEASE READ THE FOLLOWING WHOLE DESCRIPTION FIRST
caused by https://owasp.slack.com/archives/C6R3R32H4/p1667674523556749
caused by #233
NodeJS's module system is file-system based. It works regardless of package dependencies,
When code in module "foo" tries to use/require/access code from a different module "bar", then node will look in "foo";s own/direct "node_module" folder (depth 1). if it did not find any "bar" there, then node traverses all folders upwards and does the same lookup there, until it finds any "bar".
Lets see the following simple file trees
-
my-app |- node_modules |- foo |- bar -
my-app |- node_modules |- foo |- node_modules |- bar -
my-app |- node_modules |- bar |- node_modules |- foo
what about a situation where "bar" is installed multiple times?
-
my-app |- node_modules |- bar |- foo |- node_modules |- bar
This is the problem to be solved: how can this "bar" be de-duplicated in the SBOM?
is it possible at all? lets discuss and evaluate via #307