Allow for null resolved version in package-lock.json

[JamieMagee]

When attempting to scan projects that use npm workspaces¹ there will not be a resolved version in package-lock.json. Currently we throw a NullReferenceException as we attempt to call ToString on this null object. An example of how this appears in the package-lock.json is:

"node_modules/example": {
  "resolved": "scripts",
  "link": true
}

From the npm documentation²:

link: A flag to indicate that this is a symbolic link. If this is present, no other fields are specified, since the link target will also be included in the lockfile.

After this change, we will log that the version is null, and continue parsing:

[13:51:57 INF] Version string null for component example is invalid or unsupported and a component will not be recorded.

Footnotes

1. https://docs.npmjs.com/cli/v11/using-npm/workspaces ↩

2. https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-json#packages ↩

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 1 line in your changes missing coverage. Please review.

Project coverage is 89.6%. Comparing base (4e23dde) to head (d7fa7d5).

Files with missing lines	Patch %	Lines
...ntDetection.Detectors/npm/NpmComponentUtilities.cs	0.0%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##            main   #1397     +/-   ##
=======================================
- Coverage   89.6%   89.6%   -0.1%     
=======================================
  Files        401     401             
  Lines      31821   31821             
  Branches    1964    1965      +1     
=======================================
- Hits       28541   28540      -1     
  Misses      2863    2863             
- Partials     417     418      +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

• The detector detects more or fewer components than before
• The detector generates different parent/child graph relationships than before
• The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂