fix(deps): update node lockfile parser

[d3vco]

• Ready for review
• Follows CONTRIBUTING rules
• Reviewed by Snyk internal team

What does this PR do?

Resolves TypeScript compilation errors caused by the update of snyk-nodejs-lockfile-parser to ^2.2.3. The lockfile parser update introduced type signature changes that became incompatible with the legacy.depTreeToGraph function in @snyk/dep-graph.

Where should the reviewer start?

• lib/analyzer/applications/node.ts: Look at the modifications to stripUndefinedLabels, depGraphFromNodeModules, and buildDepGraphFromDepTree.
• test/system/application-scans/node.spec.ts: Test file adjustments.

How should this be manually tested?

1. Run npm run build and ensure TypeScript compiles without errors.
2. Run npm run test to verify that the application scans still parse node dependencies and build the graph correctly.

Any background context you want to provide?

Justification for casting types as any:
The snyk-nodejs-lockfile-parser update altered the DepTreeDep interface so that the labels object now supports an Alias type: { [key: string]: string | Alias | undefined }.
However, @snyk/dep-graph's legacy DepTree type expects labels to be strictly { [key: string]: string | undefined }.

Because of this mismatch between the two libraries' typings, passing the parsed PkgTree directly into legacy.depTreeToGraph results in TS2345 errors.

Why it is necessary:
Without updating the upstream @snyk/dep-graph legacy types (which is deprecated and ideally shouldn't be touched), we have to bridge the gap locally. stripUndefinedLabels was updated to handle Record<string, any> so it can strip undefined fields without crashing on Alias values.

Why it will not lead to type issues:
Casting PkgTree to any at the boundary of legacy.depTreeToGraph is safe because @snyk/dep-graph processes the tree at runtime without enforcing strict primitive string type checks on the label values. The Alias information flows through successfully to the DepGraph construction without causing runtime exceptions. By restricting the any cast strictly to the function call arguments (pkgTree as any), we preserve type safety in the rest of the application while appeasing the compiler at the deprecated legacy API boundary.

What are the relevant tickets?

CN-1007

Screenshots

N/A

Additional questions

N/A

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Potential Runtime Crash 🟠 [major] The PR casts pkgTree and strippedLabelsParserResult to any when calling legacy.depTreeToGraph. As noted in the PR description, the new lockfile parser version introduces an Alias type in labels, but the legacy library expects strictly strings. By bypassing the type system, the code allows Alias objects to reach the legacy consumer. If that library invokes string methods (e.g., .split() or .toLowerCase()) on these label values, it will result in a runtime crash. pkgTree as any, pkgTree.type || "npm", ); Incomplete Label Sanitization 🟡 [minor] The stripUndefinedLabels function is not recursive and only processes the labels field of the root parserResult. Since PkgTree is a recursive structure, any sub-dependencies containing the new Alias type or undefined labels will remain unhandled. This leaves the majority of the dependency tree in an incompatible state for the legacy consumer despite the sanitization of the root node. const optionalLabels = parserResult.labels; const mandatoryLabels: Record<string, any> = {}; if (optionalLabels) { for (const currentLabelName of Object.keys(optionalLabels)) { if (optionalLabels[currentLabelName] !== undefined) { mandatoryLabels[currentLabelName] = optionalLabels[currentLabelName]!; } }

📚 Repository Context Analyzed This review considered 7 relevant code sections from 2 files (average relevance: 0.52) package-lock.json (4 segments, lines 18978-19163) lib/analyzer/applications/node.ts (3 segments, lines 271-522)

[d3vco]

Re: PR Bot's Potential Runtime Crash

The legacy.depTreeToGraph function in @snyk/dep-graph does not currently invoke any string methods that could cause a runtime crash. I ran a test where I took a dep tree with alias objects and successfully converted it with depTreeToGraph and back with graphToDepTree.

However, we are vulnerable to anyone updating the legacy logic and adding a string method. I think it is unlikely anyone decides to change this depreciated part of the code base, but it is a risk.

The long-term fix is to update our code to build a graph rather than a tree.

[ividalATSnyk]

LGTM!

[snyksec]

🎉 This PR is included in version 9.6.3 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀