From c4f5a6454d9f104eb92f17b60ab17a422facf90f Mon Sep 17 00:00:00 2001
From: Tom Richards <tom.richards@guardian.co.uk>
Date: Tue, 13 Jun 2023 14:05:35 +0100
Subject: [PATCH] attempt to surface JSPM dependencies in package.json and
 wire-up Snyk job to use this workaround

---
 .github/workflows/snyk.yml                    | 14 +++++++-
 .gitignore                                    |  2 ++
 .../jspm-snyk-workaround.js                   | 32 +++++++++++++++++++
 v1_jspm_snyk_workaround/package.json          |  5 +++
 4 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 v1_jspm_snyk_workaround/jspm-snyk-workaround.js
 create mode 100644 v1_jspm_snyk_workaround/package.json

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
index 92100ebc46f..d63c598c265 100644
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
@@ -9,10 +9,22 @@ on:
 
 
 jobs:
-  security:
+  security-scala-and-V2:
     uses: guardian/.github/.github/workflows/sbt-node-snyk.yml@main
     with:
       ORG: guardian
       JAVA_VERSION: 8
+      EXCLUDE: package-lock.json # exclude V1, since it has its own special job below (because of JSPM)
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  security-V1-only:
+    uses: guardian/.github/.github/workflows/sbt-node-snyk.yml@main
+    with:
+      ORG: guardian
+      JAVA_VERSION: 8
+      EXCLUDE: fronts-client # exclude V2, since it's captured by the main job above
+      SKIP_SBT: true # exclude scala, since it's captured by the main job above
+      NODE_PACKAGE_JSON_FILES_MISSING_LOCK: v1_jspm_snyk_workaround/package.json v1_jspm_snyk_workaround/result/package.json
     secrets:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.gitignore b/.gitignore
index 9106cd4ec4a..cfc68367171 100644
--- a/.gitignore
+++ b/.gitignore
@@ -60,3 +60,5 @@ metals.sbt
 .bloop
 .bsp
 
+v1_jspm_snyk_workaround/package-lock.json
+v1_jspm_snyk_workaround/result
diff --git a/v1_jspm_snyk_workaround/jspm-snyk-workaround.js b/v1_jspm_snyk_workaround/jspm-snyk-workaround.js
new file mode 100644
index 00000000000..0f1520490a8
--- /dev/null
+++ b/v1_jspm_snyk_workaround/jspm-snyk-workaround.js
@@ -0,0 +1,32 @@
+const fs = require("fs");
+
+const outputDirName = "result"
+const outputPath = `${outputDirName}/package.json`;
+
+const packageJson = JSON.parse(String(fs.readFileSync("../package.json")));
+
+const jspmDependencies = Object.fromEntries(
+    Object.values(packageJson.jspm.dependencies) // values because we don't care about what JSPM called them (i.e. the keys)
+    .filter(_ => !_.includes("systemjs"))
+    .map(jspmDepString => {
+        const [source, nameAtVersion] = jspmDepString.split(":");
+        const [name, version] = nameAtVersion.split("@");
+        return [
+            name.split("/").slice(-1), // last part (e.g. 'fastselect' if 'dbrekalo/fastselect')
+            source === "github" ? `git+/~https://github.com/${name}.git#${version}` : version
+        ]
+    })
+);
+
+const newPackageJson = {
+    ...packageJson,
+    dependencies: {
+        ...packageJson.dependencies,
+        ...jspmDependencies
+    }
+};
+
+fs.mkdirSync(outputDirName, {recursive: true});
+fs.writeFileSync(outputPath, JSON.stringify(newPackageJson, null, 2));
+
+console.log(`Wrote alternate package.json for V1 to v1_jspm_workaround/${outputPath} , which surfaces the JSPM dependencies`)
diff --git a/v1_jspm_snyk_workaround/package.json b/v1_jspm_snyk_workaround/package.json
new file mode 100644
index 00000000000..fc6912db5a0
--- /dev/null
+++ b/v1_jspm_snyk_workaround/package.json
@@ -0,0 +1,5 @@
+{
+    "scripts": {
+        "preinstall": "node jspm-snyk-workaround.js"
+    }
+}