KeyError: 'version' when processing package-lock.json with npm workspaces

[lksgemin]

When attempting to use capycli getdependencies javascript on a project that utilizes npm workspaces, the command fails with a KeyError: 'version'. This occurs specifically when package-lock.json contains entries for linked packages, which do not have a version attribute.

capycli getdependencies javascript -i package-lock.json -o bom.json

Traceback:

CaPyCli, 2.10.0 - Determine Javascript components/dependencies

Reading input file package-lock.json
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "C:\Users\zzz\AppData\Local\Programs\Python\Python313\Scripts\capycli.exe\__main__.py", line 6, in <module>
    sys.exit(main())
             ~~~~^^
  File "C:\Users\zzz\AppData\Local\Programs\Python\Python313\Lib\site-packages\capycli\main\cli.py", line 28, in main
    app.run(argv)
    ~~~~~~~^^^^^^
  File "C:\Users\zzz\AppData\Local\Programs\Python\Python313\Lib\site-packages\capycli\main\application.py", line 159, in run
    self._run(argv)
    ~~~~~~~~~^^^^^^
  File "C:\Users\zzz\AppData\Local\Programs\Python\Python313\Lib\site-packages\capycli\main\application.py", line 138, in _run
    handle_dependencies.run_dependency_command(self.options)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
  File "C:\Users\zzz\AppData\Local\Programs\Python\Python313\Lib\site-packages\capycli\dependencies\handle_dependencies.py", line 57, in run_dependency_command
    app3.run(args)
    ~~~~~~~~^^^^^^
  File "C:\Users\zzz\AppData\Local\Programs\Python\Python313\Lib\site-packages\capycli\dependencies\javascript.py", line 322, in run
    sbom = self.convert_package_lock(args.inputfile)
  File "C:\Users\zzz\AppData\Local\Programs\Python\Python313\Lib\site-packages\capycli\dependencies\javascript.py", line 164, in convert_package_lock
    sbom = self.get_dependency_lockversion3(data, bom)
  File "C:\Users\zzz\AppData\Local\Programs\Python\Python313\Lib\site-packages\capycli\dependencies\javascript.py", line 118, in get_dependency_lockversion3
    LOG.debug("Checking dependency: " + modified_key + "," + dep["version"])
                                                             ~~~^^^^^^^^^^^
KeyError: 'version'

Example of a problematic entry in package-lock.json:

{
	"name": "name",
	"version": "1.0.0",
	"lockfileVersion": 3,
	"requires": true,
	"packages": {
              "node_modules/db": {
                  "resolved": "projects/db",
                  "link": true
              }
           ...
       }
}

The capycli code, specifically in javascript.py at line 118 within the get_dependency_lockversion3 function, attempts to access dep["version"] without first checking for the existence of this key or handling cases where link: true is present.

It would be beneficial if capycli could check for the presence of "link": true in a dependency entry. If link: true is found, the tool could
for now, simply ignoring entries with "link": true would prevent the KeyError and allow capycli to process the rest of the package-lock.json successfully.

[tngraf]

@lksgemin Thanks for reporting this issue.
I am not a JavaScript expert. Could you elaborate a little bit more on this link property?
What is it for? Why should we ignore it?
It would also be great if you could upload a minimized, but complete package-lock.json that we can use for testing.

[lksgemin]

@tngraf
It means a symbolic link (symlink) has been created that points from node_modules/db directly to the local projects/db package, rather than downloading it from npm registry.

This is a common setup for managing multiple related packages in a single repository using npm workspaces.
The '"link": true' indicates this is a workspace package, not an external dependency, and "resolved": "projects/db" shows the actual filesystem path to the package.

I think they should be ignored because they're not external dependencies, they're internal references to the same codebase.

package-lock.json