From ff8cf8dde8df58c3d2419f1ac0436b99d4215141 Mon Sep 17 00:00:00 2001
From: sseth <sseth@atlassian.com>
Date: Fri, 7 Feb 2025 10:42:25 +0530
Subject: [PATCH] Filter yarn deps to direct deps for main package

When creating the dependency list for the main package in yarn.lock
parsing, filter to only include direct dependencies from package.json.
This ensures the dependency graph accurately represents direct vs
transitive dependencies.

Previously all dependencies were being added as direct dependencies for
the main package, which was incorrect. Now we read package.json to
determine which dependencies are actually direct dependencies.

Signed-off-by: Sahil Seth <sseth@atlassian.com>
Signed-off-by: sseth <sseth@atlassian.com>
---
 lib/cli/index.js | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/cli/index.js b/lib/cli/index.js
index af2de430c..955954ce5 100644
--- a/lib/cli/index.js
+++ b/lib/cli/index.js
@@ -2873,9 +2873,15 @@ export async function createNodejsBom(path, options) {
       }
       const rdeplist = [];
       if (parsedList.dependenciesList && parsedList.dependenciesList) {
+        // copyright (c) 2025 Atlassian US, Inc.
+        // First read package.json to get direct dependencies
+        const pkgData = JSON.parse(readFileSync(packageJsonF, "utf8"));
+        const directDeps = {
+          ...(pkgData.dependencies || {}),
+          ...(pkgData.devDependencies || {}),
+        };
         // Inject parent component to the dependency tree to make it complete
-        // In case of yarn, yarn list command lists every root package as a direct dependency
-        // The same logic is matched with this for loop although this is incorrect since even dev dependencies would get included here
+        // Add only direct dependencies to the dependency tree of the parent component
         for (const dobj of parsedList.dependenciesList) {
           rdeplist.push(dobj.ref);
         }
@@ -2892,7 +2898,10 @@ export async function createNodejsBom(path, options) {
           ).toString();
           parsedList.dependenciesList.push({
             ref: decodeURIComponent(ppurl),
-            dependsOn: [...new Set(rdeplist)].sort(),
+            dependsOn: rdeplist.filter(ref => {
+              const pkgName = ref.split('/')[1].split('@')[0];
+              return directDeps.hasOwnProperty(pkgName);
+            }).sort(),
           });
         }
         dependencies = mergeDependencies(