aquasecurity/trivy

fix(nodejs): silently skip package.json files with invalid names

Open

#10607 opened on May 1, 2026

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Go (35,000 stars) (371 forks)batch import
good first issue

Description

Discussed in https://github.com/aquasecurity/trivy/discussions/10599

Summary

Trivy logs a DEBUG warning when parsing package.json files that have a slash in the name field (e.g. "name": "rxjs/ajax"). The scan is not affected, but the warning is misleading — these files should be silently skipped instead.

Background

Before Node.js introduced the exports field, libraries used subdirectory package.json files to guide bundlers to the correct CJS/ESM entry point. For example, node_modules/rxjs/ajax/package.json tells webpack/rollup which file to load when a user writes import from 'rxjs/ajax'.

These are not standalone packages:

  • They have no version field
  • They are never published to the npm registry independently
  • They exist solely as module resolution hints

According to the npm docs, name format rules only apply when publishing to the registry — so a slash in name is technically valid for an unpublished file.

Current behavior

Trivy skips these files but logs a DEBUG warning for each one:

DEBUG   Walk error  file_path="node_modules/.pnpm/rxjs@6.6.7/node_modules/rxjs/ajax/package.json" err="unable to parse ...: Name can only contain URL-friendly characters"
DEBUG   Walk error  file_path="node_modules/.pnpm/rxjs@6.6.7/node_modules/rxjs/fetch/package.json" err="unable to parse ...: Name can only contain URL-friendly characters"
DEBUG   Walk error  file_path="node_modules/.pnpm/rxjs@6.6.7/node_modules/rxjs/operators/package.json" err="unable to parse ...: Name can only contain URL-friendly characters"

The scan result is not affected, but the noise is misleading — these are not real errors.

Expected behavior

Silently skip such package.json files without logging an error — the same way Trivy already skips package.json files with no name field.

Fix

When IsValidName returns false, return without an error instead of propagating it as a walk error. Packages without an ID are already skipped by the caller, so the file will be silently ignored.

Contributor guide

Tech stack
gonodejs
Domain
security
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic Go knowledge
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
90
Research direction
The fix involves modifying the package.json parsing code to return without error when IsValidName fails. Look for the IsValidName function in the codebase, likely in the npm package parser. The current logic propagates an error; change it to return nil to silently skip the file. No linked PRs or assignees exist yet.