Merge remote-tracking branch 'upstream/dev' into fix_banner_on_opt_param

jfrog · Oct 29, 2023 · 72eaaa2 · 72eaaa2
2 parents 9ef7338 + 1a1004f
commit 72eaaa2
Showing 1 changed file with 22 additions and 2 deletions.
diff --git a/packagehandlers/npmpackagehandler.go b/packagehandlers/npmpackagehandler.go
@@ -1,6 +1,15 @@
 package packagehandlers
 
-import "github.com/jfrog/frogbot/utils"
+import (
+	"fmt"
+	"github.com/jfrog/frogbot/utils"
+	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
+)
+
+const (
+	npmInstallPackageLockOnlyFlag = "--package-lock-only"
+	npmInstallIgnoreScriptsFlag   = "--ignore-scripts"
+)
 
 type NpmPackageHandler struct {
 	CommonPackageHandler
@@ -19,5 +28,16 @@ func (npm *NpmPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityD
 }
 
 func (npm *NpmPackageHandler) updateDirectDependency(vulnDetails *utils.VulnerabilityDetails) (err error) {
-	return npm.CommonPackageHandler.UpdateDependency(vulnDetails, vulnDetails.Technology.GetPackageInstallationCommand())
+	isNodeModulesExists, err := fileutils.IsDirExists("node_modules", false)
+	if err != nil {
+		err = fmt.Errorf("failed while serching for node_modules in project: %s", err.Error())
+		return
+	}
+
+	commandFlags := []string{npmInstallIgnoreScriptsFlag}
+	if !isNodeModulesExists {
+		// In case node_modules don't exist in current dir the fix will update only package.json and package-lock.json
+		commandFlags = append(commandFlags, npmInstallPackageLockOnlyFlag)
+	}
+	return npm.CommonPackageHandler.UpdateDependency(vulnDetails, vulnDetails.Technology.GetPackageInstallationCommand(), commandFlags...)
 }