fix(deps): update node lockfile parser (#785)

d3vco · web-flow · commit b81441398691 · 2026-04-09T10:12:09.000-04:00
`snyk-nodejs-lockfile-parser` v2.2.3
introduced type signature changes that became incompatible with the
`legacy.depTreeToGraph` function in `@snyk/dep-graph`.
This commit bridges the gap between `@snyk/dep-graph` and
`snyk-nodejs-lockfile-parser` by casting the `DepTreeDep.labels` object
as `any`.
diff --git a/lib/analyzer/applications/node.ts b/lib/analyzer/applications/node.ts
@@ -136,7 +136,7 @@ async function depGraphFromNodeModules(
       }
 
       const depGraph = await legacy.depTreeToGraph(
-        pkgTree,
+        pkgTree as any,
         pkgTree.type || "npm",
       );
 
@@ -417,7 +417,7 @@ function stripUndefinedLabels(
   parserResult: lockFileParser.PkgTree,
 ): lockFileParser.PkgTree {
   const optionalLabels = parserResult.labels;
-  const mandatoryLabels: Record<string, string> = {};
+  const mandatoryLabels: Record<string, any> = {};
   if (optionalLabels) {
     for (const currentLabelName of Object.keys(optionalLabels)) {
       if (optionalLabels[currentLabelName] !== undefined) {
@@ -428,7 +428,7 @@ function stripUndefinedLabels(
   const parserResultWithProperLabels = Object.assign({}, parserResult, {
     labels: mandatoryLabels,
   });
-  return parserResultWithProperLabels;
+  return parserResultWithProperLabels as lockFileParser.PkgTree;
 }
 
 async function buildDepGraph(
@@ -513,7 +513,10 @@ async function buildDepGraphFromDepTree(
     // Don't provide a default manifest file name, prefer the parser to infer it.
   );
   const strippedLabelsParserResult = stripUndefinedLabels(parserResult);
-  return await legacy.depTreeToGraph(strippedLabelsParserResult, lockfileType);
+  return await legacy.depTreeToGraph(
+    strippedLabelsParserResult as any,
+    lockfileType,
+  );
 }
 
 export function getLockFileVersion(
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -50,7 +50,7 @@
     "packageurl-js": "1.2.0",
     "semver": "^7.7.3",
     "shescape": "^2.1.7",
-    "snyk-nodejs-lockfile-parser": "^2.2.2",
+    "snyk-nodejs-lockfile-parser": "^2.7.0",
     "snyk-poetry-lockfile-parser": "1.9.1",
     "snyk-resolve-deps": "^4.9.1",
     "tar-stream": "^2.2.0",
diff --git a/test/system/application-scans/node.spec.ts b/test/system/application-scans/node.spec.ts
@@ -403,7 +403,7 @@ describe("node application scans", () => {
       noFromArrays: true,
     });
 
-    const depGraph = await legacy.depTreeToGraph(depRes, "npm");
+    const depGraph = await legacy.depTreeToGraph(depRes as any, "npm");
 
     expect(depGraph.rootPkg.name).toEqual("app");
     expect(depGraph.rootPkg.version).toBe(undefined);
