Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm results returning a lot of false positives or are other tools missing stuff? #400

Open
mlieberman85 opened this issue Jan 19, 2025 · 12 comments · Fixed by #417
Open

npm results returning a lot of false positives or are other tools missing stuff? #400

mlieberman85 opened this issue Jan 19, 2025 · 12 comments · Fixed by #417

Comments

@mlieberman85
Copy link

I was testing out scalibr on an older version of an app I was building where I knew about a few known vulnerabilities. I used scalibr to generate an SBOM which I then fed into osv-scanner.

I generated sboms at the root of the npm project.

I ran the following commands:
scalibr -o spdx23-json=scalibr.spdx.json --root .

and

npm sbom --sbom-format spdx > npm.spdx.json

I have attached scalibr.spdx.json and npm.spdx.json.
npm.spdx.json
scalibr.spdx.json

The results of osv scanner on scalibr.spdx.json was:

  [email protected] has the following known vulnerabilities:
    GHSA-93q8-gq69-wqmw: Inefficient Regular Expression Complexity in chalk/ansi-regex (https://osv.dev/GHSA-93q8-gq69-wqmw)
  [email protected] has the following known vulnerabilities:
    GHSA-93q8-gq69-wqmw: Inefficient Regular Expression Complexity in chalk/ansi-regex (https://osv.dev/GHSA-93q8-gq69-wqmw)
  [email protected] has the following known vulnerabilities:
    GHSA-67hx-6x53-jw92: Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (https://osv.dev/GHSA-67hx-6x53-jw92)
  [email protected] has the following known vulnerabilities:
    GHSA-cwfw-4gq5-mrqx: Regular Expression Denial of Service (ReDoS) in braces (https://osv.dev/GHSA-cwfw-4gq5-mrqx)
    GHSA-g95f-p29q-9xw4: Regular Expression Denial of Service in braces (https://osv.dev/GHSA-g95f-p29q-9xw4)
    GHSA-grv7-fg5c-xmjg: Uncontrolled resource consumption in braces (https://osv.dev/GHSA-grv7-fg5c-xmjg)
  [email protected] has the following known vulnerabilities:
    GHSA-grv7-fg5c-xmjg: Uncontrolled resource consumption in braces (https://osv.dev/GHSA-grv7-fg5c-xmjg)
  [email protected] has the following known vulnerabilities:
    GHSA-grv7-fg5c-xmjg: Uncontrolled resource consumption in braces (https://osv.dev/GHSA-grv7-fg5c-xmjg)
  [email protected] has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)
  [email protected] has the following known vulnerabilities:
    GHSA-3xgq-45jj-v275: Regular Expression Denial of Service (ReDoS) in cross-spawn (https://osv.dev/GHSA-3xgq-45jj-v275)
  [email protected] has the following known vulnerabilities:
    GHSA-gxpj-cx7g-858c: Regular Expression Denial of Service in debug (https://osv.dev/GHSA-gxpj-cx7g-858c)
  [email protected] has the following known vulnerabilities:
    GHSA-w573-4hg7-7wgq: decode-uri-component vulnerable to Denial of Service (DoS) (https://osv.dev/GHSA-w573-4hg7-7wgq)
  [email protected] has the following known vulnerabilities:
    GHSA-ww39-953v-wcq6: glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex (https://osv.dev/GHSA-ww39-953v-wcq6)
  [email protected] has the following known vulnerabilities:
    GHSA-9c47-m6qq-7p4h: Prototype Pollution in JSON5 via Parse Method (https://osv.dev/GHSA-9c47-m6qq-7p4h)
  [email protected] has the following known vulnerabilities:
    GHSA-29mw-wpgm-hmr9: Regular Expression Denial of Service (ReDoS) in lodash (https://osv.dev/GHSA-29mw-wpgm-hmr9)
    GHSA-35jh-r3h4-6jhm: Command Injection in lodash (https://osv.dev/GHSA-35jh-r3h4-6jhm)
  [email protected] has the following known vulnerabilities:
    GHSA-952p-6rrq-rcjv: Regular Expression Denial of Service (ReDoS) in micromatch (https://osv.dev/GHSA-952p-6rrq-rcjv)
  [email protected] has the following known vulnerabilities:
    GHSA-952p-6rrq-rcjv: Regular Expression Denial of Service (ReDoS) in micromatch (https://osv.dev/GHSA-952p-6rrq-rcjv)
  [email protected] has the following known vulnerabilities:
    GHSA-952p-6rrq-rcjv: Regular Expression Denial of Service (ReDoS) in micromatch (https://osv.dev/GHSA-952p-6rrq-rcjv)
  [email protected] has the following known vulnerabilities:
    GHSA-f8q6-p94x-37v3: minimatch ReDoS vulnerability (https://osv.dev/GHSA-f8q6-p94x-37v3)
  [email protected] has the following known vulnerabilities:
    GHSA-xvch-5gv4-984h: Prototype Pollution in minimist (https://osv.dev/GHSA-xvch-5gv4-984h)
  [email protected] has the following known vulnerabilities:
    GHSA-qrpm-p2h7-hrv2: Exposure of Sensitive Information to an Unauthorized Actor in nanoid (https://osv.dev/GHSA-qrpm-p2h7-hrv2)
    GHSA-mwcw-c2x4-8c55: Predictable results in nanoid generation when given non-integer values (https://osv.dev/GHSA-mwcw-c2x4-8c55)
  [email protected] has the following known vulnerabilities:
    GHSA-mwcw-c2x4-8c55: Predictable results in nanoid generation when given non-integer values (https://osv.dev/GHSA-mwcw-c2x4-8c55)
  [email protected] has the following known vulnerabilities:
    GHSA-hj48-42vr-x3v9: Regular Expression Denial of Service in path-parse (https://osv.dev/GHSA-hj48-42vr-x3v9)
  [email protected] has the following known vulnerabilities:
    GHSA-rhx6-c78j-4q9w: Unpatched `path-to-regexp` ReDoS in 0.1.x (https://osv.dev/GHSA-rhx6-c78j-4q9w)
  [email protected] has the following known vulnerabilities:
    GHSA-gcx4-mw62-g8wm: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS (https://osv.dev/GHSA-gcx4-mw62-g8wm)
  [email protected] has the following known vulnerabilities:
    GHSA-64vr-g452-qvp3: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS (https://osv.dev/GHSA-64vr-g452-qvp3)
    GHSA-9cwx-2883-4wfx: Vite's `server.fs.deny` is bypassed when using `?import&raw` (https://osv.dev/GHSA-9cwx-2883-4wfx)
  [email protected] has the following known vulnerabilities:
    GHSA-5j4c-8p2g-v4jx: ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function (https://osv.dev/GHSA-5j4c-8p2g-v4jx)

The results on the npm generated sbom was:

  [email protected] has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)
  [email protected] has the following known vulnerabilities:
    GHSA-3xgq-45jj-v275: Regular Expression Denial of Service (ReDoS) in cross-spawn (https://osv.dev/GHSA-3xgq-45jj-v275)
  [email protected] has the following known vulnerabilities:
    GHSA-952p-6rrq-rcjv: Regular Expression Denial of Service (ReDoS) in micromatch (https://osv.dev/GHSA-952p-6rrq-rcjv)
  [email protected] has the following known vulnerabilities:
    GHSA-mwcw-c2x4-8c55: Predictable results in nanoid generation when given non-integer values (https://osv.dev/GHSA-mwcw-c2x4-8c55)
  [email protected] has the following known vulnerabilities:
    GHSA-rhx6-c78j-4q9w: Unpatched `path-to-regexp` ReDoS in 0.1.x (https://osv.dev/GHSA-rhx6-c78j-4q9w)
  [email protected] has the following known vulnerabilities:
    GHSA-64vr-g452-qvp3: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS (https://osv.dev/GHSA-64vr-g452-qvp3)
    GHSA-9cwx-2883-4wfx: Vite's `server.fs.deny` is bypassed when using `?import&raw` (https://osv.dev/GHSA-9cwx-2883-4wfx)
  [email protected] has the following known vulnerabilities:
    GHSA-5j4c-8p2g-v4jx: ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function (https://osv.dev/GHSA-5j4c-8p2g-v4jx)

For example scalibr thinks that [email protected] is installed but in my package.json, npm generated sbom, npm ls --all and just searching around in the files I could only find a reference to [email protected]. I can't tell if this is a false positive or if scalibr detected something npm itself didn't know about. If it was the latter I want to see if there's an easy way to understand what it did to detect it.

Here is the output of npm ls --all just for additional info:

@kusaridev/[email protected] /Users/mlieberman/Projects/molcajete
├── @eslint/[email protected]
├─┬ @gtm-support/[email protected]
│ ├── @gtm-support/[email protected]
│ ├── [email protected] deduped
│ └── [email protected] deduped
├─┬ @kusaridev/[email protected]
│ ├── [email protected] deduped
│ └── [email protected]
├── @mdi/[email protected]
├── @opentelemetry/[email protected]
├─┬ @opentelemetry/[email protected]
│ ├── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @types/[email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └─┬ @types/[email protected]
│ │   └── @types/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └─┬ @types/[email protected]
│ │   └── @types/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └─┬ @types/[email protected]
│ │   ├─┬ @hapi/[email protected]
│ │   │ └── @hapi/[email protected]
│ │   ├─┬ @hapi/[email protected]
│ │   │ ├─┬ @hapi/[email protected]
│ │   │ │ └── @hapi/[email protected] deduped
│ │   │ ├── @hapi/[email protected] deduped
│ │   │ ├── @hapi/[email protected]
│ │   │ ├─┬ @hapi/[email protected]
│ │   │ │ └── @hapi/[email protected] deduped
│ │   │ └── @hapi/[email protected] deduped
│ │   ├─┬ @hapi/[email protected]
│ │   │ ├── @hapi/[email protected] deduped
│ │   │ ├── @hapi/[email protected]
│ │   │ └─┬ @hapi/[email protected]
│ │   │   ├── @hapi/[email protected] deduped
│ │   │   └── @hapi/[email protected] deduped
│ │   ├── @types/[email protected]
│ │   ├─┬ @types/[email protected]
│ │   │ └── @types/[email protected]
│ │   ├─┬ @types/[email protected]
│ │   │ └── @types/[email protected] deduped
│ │   ├── @types/[email protected] deduped
│ │   └─┬ [email protected]
│ │     ├── @hapi/[email protected] deduped
│ │     ├─┬ @hapi/[email protected]
│ │     │ └── @hapi/[email protected] deduped
│ │     ├─┬ @sideway/[email protected]
│ │     │ └── @hapi/[email protected] deduped
│ │     ├── @sideway/[email protected]
│ │     └── @sideway/[email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected]
│ │ └── [email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected]
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @types/[email protected]
│ │ │ └── @types/[email protected] deduped
│ │ └─┬ @types/[email protected]
│ │   ├─┬ @types/[email protected]
│ │   │ └── @types/[email protected] deduped
│ │   ├── @types/[email protected]
│ │   ├─┬ @types/[email protected]
│ │   │ ├── @types/[email protected] deduped
│ │   │ ├─┬ @types/[email protected]
│ │   │ │ ├─┬ @types/[email protected]
│ │   │ │ │ ├── @types/[email protected] deduped
│ │   │ │ │ └── @types/[email protected] deduped
│ │   │ │ ├─┬ @types/[email protected]
│ │   │ │ │ ├── @types/[email protected] deduped
│ │   │ │ │ ├── @types/[email protected] deduped
│ │   │ │ │ ├── @types/[email protected]
│ │   │ │ │ └─┬ @types/[email protected]
│ │   │ │ │   ├── @types/[email protected]
│ │   │ │ │   └── @types/[email protected] deduped
│ │   │ │ ├── @types/[email protected]
│ │   │ │ └─┬ @types/[email protected]
│ │   │ │   ├── @types/[email protected] deduped
│ │   │ │   ├── @types/[email protected] deduped
│ │   │ │   └── @types/[email protected] deduped
│ │   │ ├── @types/[email protected] deduped
│ │   │ └── @types/[email protected] deduped
│ │   ├── @types/[email protected]
│ │   ├── @types/[email protected]
│ │   ├── @types/[email protected]
│ │   ├─┬ @types/[email protected]
│ │   │ └── @types/[email protected] deduped
│ │   └── @types/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └─┬ @types/[email protected]
│ │   └── @types/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └─┬ @types/[email protected]
│ │   └── @types/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └─┬ @opentelemetry/[email protected]
│ │   ├── @opentelemetry/[email protected] deduped
│ │   └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @types/[email protected]
│ │ │ └── @types/[email protected] deduped
│ │ └─┬ @types/[email protected]
│ │   ├── @types/[email protected] deduped
│ │   ├── [email protected]
│ │   └─┬ [email protected]
│ │     ├── [email protected]
│ │     ├── [email protected]
│ │     ├── [email protected]
│ │     ├── [email protected]
│ │     └─┬ [email protected]
│ │       └── [email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └─┬ @types/[email protected]
│ │   └── @types/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @types/[email protected]
│ │ ├─┬ [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ └─┬ [email protected]
│ │ │   ├─┬ [email protected]
│ │ │   │ └── [email protected] deduped
│ │ │   ├── [email protected]
│ │ │   └── [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └─┬ [email protected]
│ │   ├─┬ [email protected]
│ │   │ ├── [email protected]
│ │   │ ├── [email protected] deduped
│ │   │ ├── [email protected]
│ │   │ ├─┬ [email protected]
│ │   │ │ ├── UNMET OPTIONAL DEPENDENCY encoding@^0.1.0
│ │   │ │ └─┬ [email protected]
│ │   │ │   ├── [email protected]
│ │   │ │   └── [email protected]
│ │   │ └── [email protected]
│ │   └─┬ [email protected]
│ │     └── [email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ └── @opentelemetry/[email protected] deduped
├─┬ @opentelemetry/[email protected]
│ ├── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ │ └── @opentelemetry/[email protected] deduped
│ │ │ │ └── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ │ └── @opentelemetry/[email protected] deduped
│ │ │ │ └── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected]
│ ├── @opentelemetry/[email protected] deduped
│ └── [email protected]
├─┬ @opentelemetry/[email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── [email protected] deduped
│ └── [email protected] deduped
├─┬ @opentelemetry/[email protected]
│ ├── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├── @opentelemetry/[email protected] deduped
│ └── [email protected]
├─┬ @opentelemetry/[email protected]
│ ├─┬ @opentelemetry/[email protected]
│ │ └── @opentelemetry/[email protected] deduped
│ ├── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├─┬ @grpc/[email protected]
│ │ │ ├─┬ @grpc/[email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected] deduped
│ │ │ │ └─┬ [email protected]
│ │ │ │   ├─┬ [email protected]
│ │ │ │   │ ├─┬ [email protected]
│ │ │ │   │ │ ├── [email protected]
│ │ │ │   │ │ ├── [email protected] deduped
│ │ │ │   │ │ └── [email protected] deduped
│ │ │ │   │ ├── [email protected] deduped
│ │ │ │   │ └─┬ [email protected]
│ │ │ │   │   ├── [email protected] deduped
│ │ │ │   │   ├── [email protected] deduped
│ │ │ │   │   └── [email protected] deduped
│ │ │ │   ├── [email protected]
│ │ │ │   ├── [email protected]
│ │ │ │   ├── [email protected]
│ │ │ │   ├─┬ [email protected]
│ │ │ │   │ ├── [email protected]
│ │ │ │   │ ├── [email protected]
│ │ │ │   │ └── [email protected] deduped
│ │ │ │   ├── [email protected]
│ │ │ │   └── [email protected] deduped
│ │ │ └── @js-sdsl/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected]
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @grpc/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ └── @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └─┬ [email protected]
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├─┬ @protobufjs/[email protected]
│ │ │   │ ├── @protobufjs/[email protected] deduped
│ │ │   │ └── @protobufjs/[email protected] deduped
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├── @protobufjs/[email protected]
│ │ │   ├── @types/[email protected] deduped
│ │ │   └── [email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ └── @opentelemetry/[email protected]
│ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ └── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ └── [email protected] deduped
│ │ │ └─┬ @opentelemetry/[email protected]
│ │ │   ├── @opentelemetry/[email protected] deduped
│ │ │   ├── @opentelemetry/[email protected] deduped
│ │ │   ├── @opentelemetry/[email protected] deduped
│ │ │   └── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ └─┬ @opentelemetry/[email protected]
│ │   ├── @opentelemetry/[email protected] deduped
│ │   ├── @opentelemetry/[email protected] deduped
│ │   ├── @opentelemetry/[email protected] deduped
│ │   └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected]
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └─┬ @opentelemetry/[email protected]
│ │ │   ├── @opentelemetry/[email protected] deduped
│ │ │   └── @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ └─┬ @opentelemetry/[email protected]
│ │   ├── @opentelemetry/[email protected] deduped
│ │   ├── @opentelemetry/[email protected] deduped
│ │   ├── @opentelemetry/[email protected] deduped
│ │   └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├─┬ @opentelemetry/[email protected]
│ │ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ │ └── @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ └─┬ @opentelemetry/[email protected]
│ │   ├── @opentelemetry/[email protected] deduped
│ │   ├── @opentelemetry/[email protected] deduped
│ │   ├── @opentelemetry/[email protected] deduped
│ │   └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected]
│ ├── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected]
│ │ └─┬ @opentelemetry/[email protected]
│ │   ├── @opentelemetry/[email protected] deduped
│ │   ├── @opentelemetry/[email protected] deduped
│ │   └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├─┬ @opentelemetry/[email protected]
│ │ │ ├── @opentelemetry/[email protected] deduped
│ │ │ └── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── [email protected] deduped
│ └── @opentelemetry/[email protected]
├─┬ @opentelemetry/[email protected]
│ ├── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ └── @opentelemetry/[email protected] deduped
│ ├── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ ├─┬ @opentelemetry/[email protected]
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ ├── @opentelemetry/[email protected] deduped
│ │ └── @opentelemetry/[email protected] deduped
│ └── [email protected]
├─┬ @opentelemetry/[email protected]
│ ├── @opentelemetry/[email protected] deduped
│ ├── @opentelemetry/[email protected] deduped
│ ├── @opentelemetry/[email protected] deduped
│ └── @opentelemetry/[email protected]
├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
├── @rushstack/[email protected]
├─┬ @ssthouse/[email protected]
│ └─┬ @ssthouse/[email protected]
│   └── [email protected] deduped
├── @tsconfig/[email protected]
├─┬ @types/[email protected]
│ └── [email protected] deduped
├── @types/[email protected]
├─┬ @types/[email protected]
│ ├── @types/[email protected] deduped
│ ├── @types/[email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ @types/[email protected]
│ └── [email protected]
├─┬ @vitejs/[email protected]
│ └── [email protected] deduped
├─┬ @vitejs/[email protected]
│ ├── [email protected] deduped
│ └── [email protected] deduped
├─┬ @vue/[email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @types/eslint@>=8.0.0
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected] deduped
│ │ └─┬ [email protected]
│ │   ├── @pkgr/[email protected]
│ │   └── [email protected] deduped
│ ├── [email protected] deduped
│ └── [email protected] deduped
├─┬ @vue/[email protected]
│ ├─┬ @typescript-eslint/[email protected]
│ │ ├── @eslint-community/[email protected] deduped
│ │ ├── @typescript-eslint/[email protected] deduped
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ └── @typescript-eslint/[email protected] deduped
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @eslint-community/[email protected] deduped
│ │ │ ├── @types/[email protected]
│ │ │ ├── @types/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └─┬ [email protected]
│ │   └── [email protected] deduped
│ ├─┬ @typescript-eslint/[email protected]
│ │ ├── @typescript-eslint/[email protected] deduped
│ │ ├── @typescript-eslint/[email protected]
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├─┬ [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ ├── [email protected] deduped
│ │ │ │ ├── [email protected] deduped
│ │ │ │ ├── [email protected] deduped
│ │ │ │ └── [email protected]
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├── @typescript-eslint/[email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected] deduped
│ ├── [email protected] deduped
│ ├── [email protected] deduped
│ └─┬ [email protected]
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   └── [email protected] deduped
├─┬ @vue/[email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── @one-ini/[email protected]
│ │ │ ├── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ ├── [email protected] deduped
│ │ │ │ └── [email protected] deduped
│ │ │ ├─┬ [email protected]
│ │ │ │ ├─┬ @isaacs/[email protected]
│ │ │ │ │ ├─┬ string-width-cjs@npm:[email protected]
│ │ │ │ │ │ ├── [email protected]
│ │ │ │ │ │ ├── [email protected] deduped
│ │ │ │ │ │ └── [email protected] deduped
│ │ │ │ │ ├─┬ [email protected]
│ │ │ │ │ │ ├── [email protected]
│ │ │ │ │ │ ├── [email protected]
│ │ │ │ │ │ └─┬ [email protected]
│ │ │ │ │ │   └── [email protected]
│ │ │ │ │ ├─┬ strip-ansi-cjs@npm:[email protected]
│ │ │ │ │ │ └── [email protected] deduped
│ │ │ │ │ ├─┬ [email protected]
│ │ │ │ │ │ └── [email protected]
│ │ │ │ │ ├─┬ wrap-ansi-cjs@npm:[email protected]
│ │ │ │ │ │ ├── [email protected] deduped
│ │ │ │ │ │ ├─┬ [email protected]
│ │ │ │ │ │ │ ├── [email protected]
│ │ │ │ │ │ │ ├── [email protected] deduped
│ │ │ │ │ │ │ └── [email protected] deduped
│ │ │ │ │ │ └── [email protected] deduped
│ │ │ │ │ └─┬ [email protected]
│ │ │ │ │   ├── [email protected]
│ │ │ │ │   ├── [email protected] deduped
│ │ │ │ │   └─┬ [email protected]
│ │ │ │ │     └── [email protected]
│ │ │ │ └── @pkgjs/[email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ └─┬ [email protected]
│ │ │   ├── [email protected]
│ │ │   └── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ └── [email protected]
├── @vue/[email protected]
├─┬ @vuepic/[email protected]
│ ├── [email protected] deduped
│ └── [email protected] deduped
├─┬ [email protected]
│ ├── [email protected] deduped
│ ├── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── @kurkle/[email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ └─┬ [email protected]
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   ├── [email protected] deduped
│   └── [email protected] deduped
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ └── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├─┬ @eslint-community/[email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected] deduped
│ ├── [email protected] deduped
│ └── [email protected]
├─┬ [email protected]
│ ├── @eslint-community/[email protected] deduped
│ ├── @eslint-community/[email protected]
│ ├─┬ @eslint/[email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │   ├── [email protected] deduped
│ │ │   └── [email protected] deduped
│ │ └── [email protected]
│ ├── @eslint/[email protected]
│ ├─┬ @humanwhocodes/[email protected]
│ │ ├── @humanwhocodes/[email protected]
│ │ ├── [email protected] deduped
│ │ └─┬ [email protected]
│ │   └─┬ [email protected]
│ │     ├── [email protected] deduped
│ │     └── [email protected] deduped
│ ├── @humanwhocodes/[email protected]
│ ├─┬ @nodelib/[email protected]
│ │ ├─┬ @nodelib/[email protected]
│ │ │ ├── @nodelib/[email protected] deduped
│ │ │ └─┬ [email protected]
│ │ │   └── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ ├── @ungap/[email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │   └── [email protected] deduped
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ ├── [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   ├── [email protected]
│ │   ├─┬ [email protected]
│ │   │ └── [email protected]
│ │   └─┬ [email protected]
│ │     └─┬ [email protected]
│ │       ├── [email protected]
│ │       ├─┬ [email protected]
│ │       │ ├── [email protected] deduped
│ │       │ └── [email protected]
│ │       ├── [email protected] deduped
│ │       ├─┬ [email protected]
│ │       │ └─┬ [email protected]
│ │       │   ├── [email protected] deduped
│ │       │   └── [email protected] deduped
│ │       ├─┬ [email protected]
│ │       │ └── [email protected] deduped
│ │       └── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │   └─┬ [email protected]
│ │ │     └── [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected] deduped
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   ├── [email protected]
│ │   └── [email protected]
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   ├─┬ [email protected]
│ │   │ ├─┬ [email protected]
│ │   │ │ └── [email protected] deduped
│ │   │ ├── [email protected] deduped
│ │   │ ├── [email protected]
│ │   │ ├── [email protected] deduped
│ │   │ └─┬ [email protected]
│ │   │   ├─┬ [email protected]
│ │   │   │ ├── [email protected] deduped
│ │   │   │ ├── [email protected] deduped
│ │   │   │ └── [email protected] deduped
│ │   │   ├── [email protected] deduped
│ │   │   ├── [email protected] deduped
│ │   │   ├── [email protected] deduped
│ │   │   ├─┬ [email protected]
│ │   │   │ └── [email protected] deduped
│ │   │   └─┬ [email protected]
│ │   │     └── [email protected] deduped
│ │   ├── [email protected]
│ │   ├─┬ [email protected]
│ │   │ ├── [email protected] deduped
│ │   │ ├── [email protected] deduped
│ │   │ ├── [email protected]
│ │   │ ├── [email protected]
│ │   │ └─┬ [email protected]
│ │   │   └── [email protected] deduped
│ │   └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected] deduped
│ ├── [email protected]
│ └── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├── [email protected] deduped
│ └── [email protected]
├── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├── UNMET OPTIONAL DEPENDENCY canvas@^2.11.2
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │   ├── [email protected]
│ │   └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY bufferutil@^4.0.1
│ │ └── UNMET OPTIONAL DEPENDENCY utf-8-validate@>=5.0.2
│ └── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── @nodelib/[email protected]
│ │ ├── @nodelib/[email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │   ├─┬ [email protected]
│ │   │ └─┬ [email protected]
│ │   │   └─┬ [email protected]
│ │   │     └── [email protected]
│ │   └── [email protected]
│ ├── [email protected] deduped
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── @fastify/[email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├── UNMET OPTIONAL DEPENDENCY @vue/composition-api@^1.4.0
│ ├── @vue/[email protected]
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @vue/composition-api@^1.0.0-rc.1
│ │ └── [email protected] deduped
│ └── [email protected] deduped
├── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├─┬ @typescript-eslint/[email protected]
│ │ ├── @eslint-community/[email protected] deduped
│ │ ├── @typescript-eslint/[email protected] deduped
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ └── @typescript-eslint/[email protected] deduped
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├── @typescript-eslint/[email protected] deduped
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ @typescript-eslint/[email protected]
│ │ ├── @typescript-eslint/[email protected] deduped
│ │ ├── @typescript-eslint/[email protected]
│ │ ├─┬ @typescript-eslint/[email protected]
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── @typescript-eslint/[email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ └── [email protected] deduped
│ │ ├── @typescript-eslint/[email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ └─┬ @typescript-eslint/[email protected]
│   ├── @eslint-community/[email protected] deduped
│   ├── @typescript-eslint/[email protected] deduped
│   ├── @typescript-eslint/[email protected] deduped
│   ├── @typescript-eslint/[email protected] deduped
│   └── [email protected] deduped
├── [email protected]
├─┬ [email protected]
│ ├── @dash14/[email protected]
│ ├── [email protected] deduped
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected] deduped
├─┬ [email protected]
│ ├── @types/[email protected] deduped
│ ├─┬ [email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ │ └── UNMET OPTIONAL DEPENDENCY @esbuild/[email protected]
│ ├── [email protected]
│ ├── UNMET OPTIONAL DEPENDENCY less@*
│ ├── UNMET OPTIONAL DEPENDENCY lightningcss@^1.21.0
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── UNMET OPTIONAL DEPENDENCY @rollup/[email protected]
│ │ ├── @types/[email protected]
│ │ └── [email protected] deduped
│ ├── UNMET OPTIONAL DEPENDENCY sass@*
│ ├── UNMET OPTIONAL DEPENDENCY stylus@*
│ ├── UNMET OPTIONAL DEPENDENCY sugarss@*
│ └── UNMET OPTIONAL DEPENDENCY terser@^5.4.0
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]
│ └── [email protected] deduped
├─┬ [email protected]
│ ├── UNMET OPTIONAL DEPENDENCY @edge-runtime/vm@*
│ ├── @types/[email protected] deduped
│ ├── UNMET OPTIONAL DEPENDENCY @vitest/[email protected]
│ ├─┬ @vitest/[email protected]
│ │ ├── @vitest/[email protected] deduped
│ │ ├── @vitest/[email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ @vitest/[email protected]
│ │ ├── @vitest/[email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └── [email protected] deduped
│ ├─┬ @vitest/[email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └─┬ [email protected]
│ │   ├─┬ @jest/[email protected]
│ │   │ └── @sinclair/[email protected]
│ │   ├── [email protected]
│ │   └── [email protected]
│ ├─┬ @vitest/[email protected]
│ │ └── [email protected]
│ ├── UNMET OPTIONAL DEPENDENCY @vitest/[email protected]
│ ├─┬ @vitest/[email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── @types/[email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ ├─┬ [email protected]
│ │ │ └── [email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── UNMET OPTIONAL DEPENDENCY happy-dom@*
│ ├── [email protected] deduped
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │   ├── [email protected]
│ │   ├── [email protected] deduped
│ │   └── [email protected] deduped
│ ├─┬ [email protected]
│ │ └── @jridgewell/[email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected] deduped
│ └─┬ [email protected]
│   ├── [email protected]
│   └── [email protected]
├─┬ [email protected]
│ ├── [email protected] deduped
│ └── [email protected] deduped
├─┬ [email protected]
│ └── [email protected] deduped
├─┬ [email protected]
│ ├── @vue/[email protected] deduped
│ └── [email protected] deduped
├─┬ [email protected]
│ └─┬ [email protected]
│   ├─┬ @vue/[email protected]
│   │ ├── @babel/[email protected] deduped
│   │ ├── [email protected] deduped
│   │ ├── [email protected]
│   │ └── [email protected]
│   └── [email protected]
├─┬ [email protected]
│ ├─┬ @volar/[email protected]
│ │ ├─┬ @volar/[email protected]
│ │ │ └── @volar/[email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├─┬ @vue/[email protected]
│ │ ├── @volar/[email protected] deduped
│ │ ├── @vue/[email protected] deduped
│ │ ├─┬ @vue/[email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├── @vue/[email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├── [email protected] deduped
│ └── [email protected] deduped
├─┬ [email protected]
│ ├─┬ @vue/[email protected]
│ │ ├─┬ @vue/[email protected]
│ │ │ ├── @babel/[email protected] deduped
│ │ │ ├── @vue/[email protected] deduped
│ │ │ ├── [email protected] deduped
│ │ │ ├── [email protected]
│ │ │ └── [email protected] deduped
│ │ └── @vue/[email protected] deduped
│ ├─┬ @vue/[email protected]
│ │ ├─┬ @babel/[email protected]
│ │ │ └─┬ @babel/[email protected]
│ │ │   ├── @babel/[email protected]
│ │ │   └── @babel/[email protected]
│ │ ├── @vue/[email protected] deduped
│ │ ├── @vue/[email protected] deduped
│ │ ├─┬ @vue/[email protected]
│ │ │ ├── @vue/[email protected] deduped
│ │ │ └── @vue/[email protected] deduped
│ │ ├── @vue/[email protected] deduped
│ │ ├── [email protected]
│ │ ├── [email protected] deduped
│ │ ├── [email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ @vue/[email protected]
│ │ ├─┬ @vue/[email protected]
│ │ │ └── @vue/[email protected] deduped
│ │ ├─┬ @vue/[email protected]
│ │ │ ├── @vue/[email protected] deduped
│ │ │ └── @vue/[email protected] deduped
│ │ ├── @vue/[email protected] deduped
│ │ └── [email protected] deduped
│ ├─┬ @vue/[email protected]
│ │ ├── @vue/[email protected] deduped
│ │ ├── @vue/[email protected] deduped
│ │ └── [email protected] deduped
│ ├── @vue/[email protected]
│ └── [email protected] deduped
└─┬ [email protected]
  ├── [email protected] deduped
  ├── UNMET OPTIONAL DEPENDENCY vite-plugin-vuetify@>=1.0.0
  ├── UNMET OPTIONAL DEPENDENCY vue-i18n@^9.0.0
  ├── [email protected] deduped
  └── UNMET OPTIONAL DEPENDENCY webpack-plugin-vuetify@>=2.0.0
@oliverchang
Copy link
Collaborator

Thanks for the report!

Is there any chance you can share the package.json / package-lock.json in your project?

Also, do you have any stale/old node_modules folders inside the project you're scanning which might reference the older version of lodash ?

@mlieberman85
Copy link
Author

Sure, I'll forward it over.

To be sure before running the above tests I deleted node_modules folder inside the project and started over. And doing ripgrep I don't see any reference to the older version of lodash anywhere in the directory.

package-lock.json
package.json

@mlieberman85
Copy link
Author

@oliverchang It looks like the new osv scanner beta that uses scalibr behind the scene returns the same results as npm sbom and then taking that sbom and using it with osv-scanner. It's unclear why the scalibr cli tool generates an SBOM with the wrong stuff.

❯ ~/Downloads/osv-scanner_darwin_arm64 --version
osv-scanner version: 2.0.0-beta1
commit: 7d5fdd7e76ab6188b0be51b6200ff3f37d74e06d
built at: 2025-01-29T03:27:39Z

❯ ~/Downloads/osv-scanner_darwin_arm64 --format vertical .
Scanning dir .
Scanned /Users/mlieberman/Projects/molcajete/.git file and found 1 package
Scanned /Users/mlieberman/Projects/molcajete/package-lock.json file and found 707 packages
/Users/mlieberman/Projects/molcajete/package-lock.json: found 8 packages with issues

  [email protected] has the following known vulnerabilities:
    GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters (https://osv.dev/GHSA-pxg6-pf52-xh8x)
  [email protected] has the following known vulnerabilities:
    GHSA-3xgq-45jj-v275: Regular Expression Denial of Service (ReDoS) in cross-spawn (https://osv.dev/GHSA-3xgq-45jj-v275)
  [email protected] has the following known vulnerabilities:
    GHSA-952p-6rrq-rcjv: Regular Expression Denial of Service (ReDoS) in micromatch (https://osv.dev/GHSA-952p-6rrq-rcjv)
  [email protected] has the following known vulnerabilities:
    GHSA-mwcw-c2x4-8c55: Predictable results in nanoid generation when given non-integer values (https://osv.dev/GHSA-mwcw-c2x4-8c55)
  [email protected] has the following known vulnerabilities:
    GHSA-rhx6-c78j-4q9w: Unpatched `path-to-regexp` ReDoS in 0.1.x (https://osv.dev/GHSA-rhx6-c78j-4q9w)
  [email protected] has the following known vulnerabilities:
    GHSA-c76h-2ccp-4975: Use of Insufficiently Random Values in undici (https://osv.dev/GHSA-c76h-2ccp-4975)
  [email protected] has the following known vulnerabilities:
    GHSA-64vr-g452-qvp3: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS (https://osv.dev/GHSA-64vr-g452-qvp3)
    GHSA-9cwx-2883-4wfx: Vite's `server.fs.deny` is bypassed when using `?import&raw` (https://osv.dev/GHSA-9cwx-2883-4wfx)
    GHSA-vg6x-rcgg-rjx6: Websites were able to send any requests to the development server and read the response in vite (https://osv.dev/GHSA-vg6x-rcgg-rjx6)
  [email protected] has the following known vulnerabilities:
    GHSA-5j4c-8p2g-v4jx: ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function (https://osv.dev/GHSA-5j4c-8p2g-v4jx)

  10 known vulnerabilities found in /Users/mlieberman/Projects/molcajete/package-lock.json

@mlieberman85
Copy link
Author

I realized ripgrep by default ignores anything in .gitignore as well as anything under hidden folders, i.e. prefixed with a .

I did find under node_modules/uri-js it has a yarn lockfile with:

lodash@^4.17.4:
  version "4.17.20"
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.20.tgz#b44a9b6297bcb698f1c51a3545a2b3b368d59c52"
  integrity sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA==
c52"

However, npm should respect only what's in my package-lock.json over a dependencies lockfile?

If that's the case is there a way to get scalibr to ignore stuff like that?

@G-Rath G-Rath mentioned this issue Jan 29, 2025
Merged
@G-Rath
Copy link
Collaborator

G-Rath commented Jan 29, 2025

fwiw I have no idea if that is actually the issue, but you have reminded me that while working on other scalibr stuff I noticed the package-lock.json extractor does purposely skip locks in node_modules while the Yarn and PNPM extractors do not - I've opened PRs to "fix" that.

@G-Rath
Copy link
Collaborator

G-Rath commented Jan 29, 2025

@mlieberman85 you should be able to confirm if that's the issue by manually removing the yarn.lock lockfile

@rhdesmond
Copy link
Contributor

rhdesmond commented Jan 30, 2025
edited
Loading

If that's the case is there a way to get scalibr to ignore stuff like that?

You can configure the extractors to run with the respective flag: --extractors "javascript/packagelockjson".

As use cases become more specific, you can use this to hone down your results. For example, in Artifact Analysis registry scanning we only use javascript/packagejson for scanning NPM packages.

@G-Rath
Copy link
Collaborator

G-Rath commented Jan 30, 2025
edited
Loading

sorry, I didn't think my phrasing had linked this issue with my pull request but apparently it did - I don't think this should be closed unless someone can confirm that my change does actually fix the problem

@G-Rath G-Rath reopened this Jan 30, 2025
@mlieberman85
Copy link
Author

I will try and test this out shortly and get back to you.

@mlieberman85
Copy link
Author

So, --extractors "javascript/packagelockjson" does fix the issue.

It's hard for me to test by deleting the yarn.lock as the lodash issue was just one of about 1000 packages that seemed to be false positives. Switching to just the packagelockjson extractor does fix it though.

This might be a separate issue/request but is there the ability to configure this flag via a config file for a project? If this doesn't already exist I can open a issue.

@rhdesmond
Copy link
Contributor

rhdesmond commented Jan 31, 2025
edited
Loading

I've created an issue internally but we haven't had bandwidth to implement it yet. Please file an issue! I will link/mention it on the existing one internally.

@G-Rath
Copy link
Collaborator

G-Rath commented Jan 31, 2025

@mlieberman85 fwiw you should be able to do a looped delete of all yarn.lock and pnpm-lock.yaml files in the node_modules directory.

E.g. this should do it

find -type f -name '*yarn.lock*' -delete
find -type f -name '*pnpm-lock.yaml*' -delete

If the output is still not what you're expecting, then there's something else going on we should dig into

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(yarnlock): ignore yarn.lock files in node_modules ackama/osv-scalibr
4 participants
@mlieberman85 @oliverchang @G-Rath @rhdesmond