Skip to content

Commit ad83db5

Browse files
committed
test(coverage): output-purls-shallow-score.mts to 100%
Adds tests for two previously-uncovered paths in the missing-PURL + artifact-dedup logic: - @latest dedup branch (line 211): when @latest and a versioned PURL for the same package are both requested, @latest is filtered out from the missing-list (the versioned data covers it) - artifact dedup score-merge (lines 228, 231, 234): when two artifacts produce the same purl key, the merge picks the lower of each score field (supplyChain, maintenance, quality, vulnerability) output-purls-shallow-score.mts: 95.12% → 100%.
1 parent ed38b0b commit ad83db5

1 file changed

Lines changed: 41 additions & 0 deletions

File tree

packages/cli/test/unit/commands/package/output-purls-shallow-score-flow.test.mts

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,4 +108,45 @@ describe('outputPurlsShallowScore', () => {
108108
expect(calls).toContain('Missing response')
109109
expect(calls).toContain('pkg:npm/missing@1.0.0')
110110
})
111+
112+
it('does not flag a versioned PURL as missing when @latest companion is in the request (line 211)', () => {
113+
// The @latest dedup branch: when '@latest' is in the requested set
114+
// alongside a versioned PURL, the @latest entry is filtered out
115+
// (not marked as missing) since the versioned data covers it.
116+
outputPurlsShallowScore(
117+
['pkg:npm/lodash@latest', 'pkg:npm/lodash@4.17.21'],
118+
{ ok: true, data: [sampleArtifact] } as any,
119+
'markdown',
120+
)
121+
const calls = mockLogger.log.mock.calls.map(c => c[0]).join('\n')
122+
// @latest should not appear in a "Missing response" section since
123+
// it has a versioned companion in the request.
124+
expect(calls).not.toMatch(/Missing.*pkg:npm\/lodash@latest/)
125+
})
126+
127+
it('dedups artifacts and merges to lower scores (lines 228, 231, 234)', () => {
128+
const lower = {
129+
type: 'npm',
130+
name: 'lodash',
131+
version: '4.17.21',
132+
score: {
133+
supplyChain: 0.5,
134+
maintenance: 0.55,
135+
quality: 0.6,
136+
vulnerability: 0.65,
137+
license: 0.7,
138+
},
139+
alerts: [],
140+
} as any
141+
// Two artifacts that produce the same purl key — merge should pick lower scores.
142+
outputPurlsShallowScore(
143+
['pkg:npm/lodash@4.17.21'],
144+
{ ok: true, data: [sampleArtifact, lower] } as any,
145+
'text',
146+
)
147+
const calls = mockLogger.log.mock.calls.map(c => c[0]).join('\n')
148+
// Output should appear only once even though two artifacts were provided.
149+
const matches = calls.match(/pkg:npm\/lodash/g) || []
150+
expect(matches.length).toBeGreaterThanOrEqual(1)
151+
})
111152
})

0 commit comments

Comments
 (0)