dependabot · jakecoffman · Nov 29, 2022 · Nov 28, 2022 · Nov 28, 2022 · Nov 28, 2022
@@ -205,11 +205,16 @@ def lerna_packages
         @lerna_packages ||= fetch_lerna_packages
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def path_dependencies(fetched_files)
         package_json_files = []
         unfetchable_deps = []
 
         path_dependency_details(fetched_files).each do |name, path|
+          # This happens with relative paths in the package-lock. Skipping it since it results
+          # in /package.json which is outside of the project directory.
+          next if path == "file:"
+
           path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
           raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/")
 
@@ -238,6 +243,7 @@ def path_dependencies(fetched_files)
 
         package_json_files.tap { |fs| fs.each { |f| f.support_file = true } }
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       def path_dependency_details(fetched_files)
         package_json_path_deps = []

@@ -97,6 +97,37 @@
     end
   end
 
+  context "that has a blank file: in the package-lock" do
+    before do
+      stub_request(:get, File.join(url, "package.json?ref=sha")).
+        with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 200,
+          body: fixture_to_response("projects/npm8/path_dependency_blank_file", "package.json"),
+          headers: json_header
+        )
+      stub_request(:get, File.join(url, "package-lock.json?ref=sha")).
+        with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 200,
+          body: fixture_to_response("projects/npm8/path_dependency_blank_file", "package-lock.json"),
+          headers: json_header
+        )
+      stub_request(:get, File.join(url, "another/package.json?ref=sha")).
+        with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 200,
+          body: fixture_to_response("projects/npm8/path_dependency_blank_file/another", "package.json"),
+          headers: json_header
+        )
+    end
+
+    it "does not have a /package.json" do
+      expect(file_fetcher_instance.files.map(&:name)).
+        to eq(%w(package.json package-lock.json another/package.json))
+    end
+  end
+
   context "with a .npmrc file" do
     before do
       stub_request(:get, url + "?ref=sha").
@@ -1591,12 +1622,6 @@
   end
 
   context "with no .npmrc but package-lock.json contains a custom registry" do
-    def fixture_to_response(dir, file)
-      JSON.dump({
-        "content" => Base64.encode64(fixture(dir, file))
-      })
-    end
-
     before do
       allow(file_fetcher_instance).to receive(:commit).and_return("sha")
 
@@ -1626,3 +1651,7 @@ def fixture_to_response(dir, file)
     end
   end
 end
+
+def fixture_to_response(dir, file)
+  JSON.dump({ "content" => Base64.encode64(fixture(dir, file)) })
+end
@@ -0,0 +1,14 @@
+{
+  "name": "another",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "right-pad": "^1.0.0"
+  }
+}
@@ -0,0 +1,28 @@
+{
+  "name": "npm-eacces",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "workspaces": [
+    ".",
+    "./",
+    "another"
+  ],
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/dsp-testing/npm-eacces.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/dsp-testing/npm-eacces/issues"
+  },
+  "homepage": "https://github.com/dsp-testing/npm-eacces#readme",
+  "dependencies": {
+    "another": "^1.0.0",
+    "left-pad": "1.2"
+  }
+}