Skip to content

fix: CJS Module Lexer replaced by merve#268

Open
richardlau wants to merge 1 commit intomainfrom
merve
Open

fix: CJS Module Lexer replaced by merve#268
richardlau wants to merge 1 commit intomainfrom
merve

Conversation

@richardlau
Copy link
Member

@richardlau richardlau commented Feb 25, 2026

Update the checker to account for CJS Module Lexer gradually being replaced with merve.

Currently broken for the release lines where the replacement has already happened, e.g.
https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/22383732503/job/64790456705#step:6:15

Traceback (most recent call last):
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 261, in <module>
    exit(main())
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 234, in main
    list() if gh_token is None else query_ghad(dependencies, gh_token, repo_path)
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 113, in query_ghad
    dep_version = dep.version_parser(repo_path)
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/versions_parser.py", line 53, in get_cjs_lexer_version
    return get_package_json_version(repo_path / "deps/cjs-module-lexer/src/package.json")
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/versions_parser.py", line 8, in get_package_json_version
    with open(path, "r") as f:
FileNotFoundError: [Errno 2] No such file or directory: '../node/deps/cjs-module-lexer/src/package.json'
Error: Process completed with exit code 1.

@richardlau
fix: CJS Module Lexer replaced by merve
c81baec 
Update the checker to account for CJS Module Lexer gradually being
replaced with merve.
richardlau
richardlau commented Feb 25, 2026
View reviewed changes
dep_checker/dependencies.py
),
"merve": Dependency(
version_parser=vp.get_merve_version,
cpe=None,
Copy link
Member Author

@richardlau richardlau Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nodejs/security-wg Is this correct? I based this on the "CJS Module Lexer" mapping, which also has cpe=None.

@richardlau
Copy link
Member Author

richardlau commented Feb 25, 2026

Run from this branch: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/22406470674

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marco-ippolito marco-ippolito marco-ippolito approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@richardlau @marco-ippolito