feat: add pnpm virtual store/node_modules support

parker-snyk · web-flow · commit aa97861e1736 · 2026-01-09T10:09:20.000-05:00
Add support for detecting dependencies in pnpm-based Node.js projects
when scanning container images that did not have a package-lock file

Problem:
When scanning container images containing pnpm projects (like n8n),
dependencies were not being detected in cases where the package-lock was.
This is because pnpm stores packages in a .pnpm/ virtual store directory structure:

  node_modules/.pnpm/&lt;pkg&gt;@&lt;version&gt;/node_modules/&lt;pkg&gt;/package.json

The existing snyk-resolve-deps library expects packages directly at
node_modules/&lt;pkg&gt;/ and doesn't understand pnpm's directory layout.

Solution:
Added tryBuildDepGraphFromPnpmStore() as a fallback that:
1. Detects when .pnpm/ package.json files are present
2. Parses them directly to extract package names and versions
3. Builds a dependency graph from those packages

This runs before snyk-resolve-deps and only activates for pnpm projects.
diff --git a/lib/analyzer/applications/node.ts b/lib/analyzer/applications/node.ts
@@ -1,4 +1,4 @@
-import { DepGraph, legacy } from "@snyk/dep-graph";
+import { DepGraph, DepGraphBuilder, legacy } from "@snyk/dep-graph";
 import * as Debug from "debug";
 import * as path from "path";
 import * as lockFileParser from "snyk-nodejs-lockfile-parser";
@@ -95,6 +95,18 @@ async function depGraphFromNodeModules(
 ): Promise<AppDepsScanResultWithoutTarget[]> {
   const scanResults: AppDepsScanResultWithoutTarget[] = [];
   for (const project of nodeProjects) {
+    // First, try to build dep graph from pnpm virtual store if present
+    const pnpmResult = await tryBuildDepGraphFromPnpmStore(
+      project,
+      filePathToContent,
+      fileNamesGroupedByDirectory,
+    );
+    if (pnpmResult) {
+      scanResults.push(pnpmResult);
+      continue;
+    }
+
+    // Fallback to snyk-resolve-deps for non-pnpm projects
     const { tempDir, tempProjectPath, manifestPath } = await persistNodeModules(
       project,
       filePathToContent,
@@ -159,6 +171,103 @@ async function depGraphFromNodeModules(
   return scanResults;
 }
 
+/**
+ * Builds a dependency graph from pnpm's .pnpm directory.
+ * snyk-resolve-deps doesn't understand pnpm's virtual store structure,
+ * so we parse the package.json files directly.
+ */
+async function tryBuildDepGraphFromPnpmStore(
+  project: string,
+  filePathToContent: FilePathToContent,
+  fileNamesGroupedByDirectory: FilesByDirMap,
+): Promise<AppDepsScanResultWithoutTarget | null> {
+  const projectFiles = fileNamesGroupedByDirectory.get(project);
+  if (!projectFiles) {
+    return null;
+  }
+
+  // Find all package.json files inside .pnpm directories
+  const pnpmPackageJsons = Array.from(projectFiles).filter(
+    (f) => f.includes("/node_modules/.pnpm/") && f.endsWith("/package.json"),
+  );
+  if (pnpmPackageJsons.length === 0) {
+    return null;
+  }
+
+  // Find the root package.json (parent of node_modules/.pnpm)
+  const pnpmMatch = pnpmPackageJsons[0].match(/^(.+?)\/node_modules\/\.pnpm\//);
+  if (!pnpmMatch) {
+    return null;
+  }
+  const rootManifestPath = path.posix.join(pnpmMatch[1], "package.json");
+  const rootManifestContent = filePathToContent[rootManifestPath];
+  if (!rootManifestContent) {
+    return null;
+  }
+
+  let rootPkg: { name?: string; version?: string };
+  try {
+    rootPkg = JSON.parse(rootManifestContent);
+  } catch {
+    return null;
+  }
+  if (!rootPkg.name) {
+    return null;
+  }
+
+  debug(`Building pnpm dep graph for ${rootPkg.name} from .pnpm directory`);
+
+  // Parse all packages from .pnpm and add them as direct dependencies
+  const builder = new DepGraphBuilder(
+    { name: "pnpm" },
+    { name: rootPkg.name, version: rootPkg.version || "0.0.0" },
+  );
+
+  const seen = new Set<string>();
+  for (const pkgJsonPath of pnpmPackageJsons) {
+    const content = filePathToContent[pkgJsonPath];
+    if (!content) {
+      continue;
+    }
+
+    try {
+      const pkg: { name?: string; version?: string } = JSON.parse(content);
+      if (!pkg.name || !pkg.version) {
+        continue;
+      }
+
+      const nodeId = `${pkg.name}@${pkg.version}`;
+      if (seen.has(nodeId)) {
+        continue;
+      }
+      seen.add(nodeId);
+
+      builder.addPkgNode({ name: pkg.name, version: pkg.version }, nodeId);
+      builder.connectDep(builder.rootNodeId, nodeId);
+    } catch {
+      // Skip unparseable files
+    }
+  }
+
+  if (seen.size === 0) {
+    return null;
+  }
+
+  const depGraph = builder.build();
+  debug(`Built pnpm dep graph with ${depGraph.getPkgs().length} packages`);
+
+  return {
+    facts: [
+      { type: "depGraph", data: depGraph },
+      { type: "testedFiles", data: rootManifestPath },
+    ],
+    identity: {
+      type: "pnpm",
+      targetFile: rootManifestPath,
+    },
+  };
+}
+
 async function depGraphFromManifestFiles(
   filePathToContent: FilePathToContent,
   manifestFilePairs: ManifestLockPathPair[],
diff --git a/tslint.json b/tslint.json
@@ -8,6 +8,7 @@
     "no-bitwise": false,
     "max-classes-per-file": false,
     "no-console": false,
-    "variable-name": false
+    "variable-name": false,
+    "no-unnecessary-initializer": false
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`"no-bitwise": false,`
`9`	`9`	`"max-classes-per-file": false,`
`10`	`10`	`"no-console": false,`
`11`		`- "variable-name": false`
	`11`	`+ "variable-name": false,`
	`12`	`+ "no-unnecessary-initializer": false`
`12`	`13`	`}`
`13`	`14`	`}`