Do download bundled deps if they are direct deps

Npm marks to-be-bundled deps as bundled in lockfile v2+. We should consider those not bundled. Signed-off-by: Adam Cmiel <[email protected]>
containerbuildsystem · Jun 9, 2023 · 5dedcd3 · 5dedcd3
1 parent e9e6833
commit 5dedcd3
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 2 deletions.
diff --git a/cachito/workers/pkg_managers/npm.py b/cachito/workers/pkg_managers/npm.py
@@ -110,7 +110,13 @@ def set_resolved(self, resolved: str) -> None:
     @property
     def bundled(self) -> bool:
         """Return True if this package is bundled."""
-        return any(self._package_dict.get(key) for key in ["bundled", "inBundle"])
+        return (
+            any(self._package_dict.get(key) for key in ["bundled", "inBundle"])
+            # In v2+ lockfiles, direct dependencies do have "inBundle": true if they are to be
+            # bundled. They will get bundled if the package is uploaded to the npm registry, but
+            # aren't bundled yet. These have a resolved url and shouldn't be considered bundled.
+            and "resolved" not in self._package_dict
+        )
 
     @property
     def dev(self) -> bool:

diff --git a/tests/test_workers/test_pkg_managers/test_npm.py b/tests/test_workers/test_pkg_managers/test_npm.py
@@ -1102,13 +1102,52 @@ def _mock_convert_to_nexus_hosted(package: Package) -> None:
             },
             id="v2_packages",
         ),
+        pytest.param(
+            [
+                # direct bundled dep - should be downloaded, shouldn't be considered bundled
+                # npm init --yes
+                # npm add fecha --save-bundle
+                Package(
+                    "fecha",
+                    {
+                        "version": "4.2.3",
+                        "resolved": "https://registry.npmjs.org/fecha/-/fecha-4.2.3.tgz",
+                        "inBundle": True,
+                    },
+                    path="node_modules/fecha",
+                ),
+                # indirect bundled dep, duplicate of the direct one
+                Package(
+                    "fecha",
+                    {
+                        "version": "4.2.3",
+                        # the result should be non-bundled and non-dev
+                        "inBundle": True,
+                        "dev": True,
+                    },
+                    path="node_modules/foo/node_modules/fecha",
+                ),
+            ],
+            {
+                "fecha": [
+                    {
+                        "bundled": False,
+                        "dev": False,
+                        "name": "fecha",
+                        "type": "npm",
+                        "version": "4.2.3",
+                        "version_in_nexus": None,
+                    },
+                ],
+            },
+            id="v2_packages_direct_bundled_dep",
+        ),
     ],
 )
 def test_get_deps_bundled_dep(
     packages: list[Package],
     expected_name_to_deps: dict[str, dict],
 ) -> None:
-
     package_lock = mock.Mock()
     package_lock.packages = packages
     name_to_deps, replacements = npm._get_deps(package_lock, set())