fix: address review feedback for URL dependency detection

ndpvt-web · claude · ndpvt-web · commit 28403132b8df · 2026-03-10T08:48:24.000Z
- Scan all packages for URL deps, not just root (fixes transitive detection)
- Align isUrlDependency with resolveVersion URL patterns
- Use computed map for URL dep lookups in Dependencies.vue
- Remove orphaned url field from ResolvedPackage interface

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/app/components/Package/Dependencies.vue b/app/components/Package/Dependencies.vue
@@ -37,10 +37,15 @@ function getDeprecatedDepInfo(depName: string) {
   return vulnTree.value.deprecatedPackages.find(p => p.name === depName && p.depth === 'direct')
 }
 
+// Cache URL dependency lookups with computed map
+const urlDepMap = computed(() => {
+  if (!vulnTree.value) return new Map()
+  return new Map(vulnTree.value.urlDependencies.map(dep => [dep.name, dep]))
+})
+
 // Check if a dependency uses git: or https: URL
 function getUrlDepInfo(depName: string) {
-  if (!vulnTree.value) return null
-  return vulnTree.value.urlDependencies.find(p => p.name === depName)
+  return urlDepMap.value.get(depName) ?? null
 }
 
 // Expanded state for each section
diff --git a/server/utils/dependency-analysis.ts b/server/utils/dependency-analysis.ts
@@ -260,7 +260,13 @@ function getSeverityLevel(vuln: OsvVulnerability): OsvSeverityLevel {
  * Check if a dependency URL is a git: or https: URL that should be flagged.
  */
 function isUrlDependency(url: string): boolean {
-  return url.startsWith('git:') || url.startsWith('https:') || url.startsWith('git+https:')
+  return (
+    url.startsWith('git:') ||
+    url.startsWith('git+') ||
+    url.startsWith('http:') ||
+    url.startsWith('https:') ||
+    url.startsWith('file:')
+  )
 }
 
 /**
@@ -336,8 +342,12 @@ export const analyzeDependencyTree = defineCachedFunction(
         return depthOrder[a.depth] - depthOrder[b.depth]
       })
 
-    // Scan for git: and https: URL dependencies in the root package
-    const urlDependencies = await scanUrlDependencies(name, version, 'root', [])
+    // Scan for git: and https: URL dependencies in all packages
+    const urlDependencies: UrlDependencyInfo[] = []
+    for (const pkg of packages) {
+      const pkgUrlDeps = await scanUrlDependencies(pkg.name, pkg.version, pkg.depth, pkg.path)
+      urlDependencies.push(...pkgUrlDeps)
+    }
 
     // Step 1: Use batch API to find which packages have vulnerabilities
     // This is much faster than individual queries - one request for all packages
diff --git a/server/utils/dependency-resolver.ts b/server/utils/dependency-resolver.ts
@@ -106,8 +106,6 @@ export interface ResolvedPackage {
   path?: string[]
   /** Deprecation message if the version is deprecated */
   deprecated?: string
-  /** Original URL if this was a git: or https: dependency */
-  url?: string
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -106,8 +106,6 @@ export interface ResolvedPackage {`
`106`	`106`	`path?: string[]`
`107`	`107`	`/** Deprecation message if the version is deprecated */`
`108`	`108`	`deprecated?: string`
`109`		`- /** Original URL if this was a git: or https: dependency */`
`110`		`- url?: string`
`111`	`109`	`}`
`112`	`110`
`113`	`111`	`/**`