Merge pull request #37 from snyk/fix/prevent-crash-when-checking-dev-deps

james-snyk · web-flow · commit cd0c3c8cd626 · 2025-11-11T12:58:16.000Z
fix: prevent crash when Poetry project has dependency groups without dev
diff --git a/lib/parsers/v2Parser.ts b/lib/parsers/v2Parser.ts
@@ -43,16 +43,16 @@ export class V2Parser implements Parser {
   getAllDevDependencyNames(): string[] {
     // pre-v1.2.0 naming convention
     const devDepsProperty = Object.keys(
-      this.manifest.tool?.poetry.group?.dev.dependencies ?? [],
+      this.manifest.tool?.poetry?.group?.dev?.dependencies ?? [],
     );
     const legacyDevDepsProperty = Object.keys(
-      this.manifest.tool?.poetry['dev-dependencies'] ?? [],
+      this.manifest.tool?.poetry?.['dev-dependencies'] ?? [],
     );
     // post-v1.2.0 dependency groups
     // https://python-poetry.org/docs/master/managing-dependencies
     // we will handle all tool.poetry.group.<group> as dev-deps
-    const groupDevDepsProperty = this.manifest.tool?.poetry.group
-      ? this.getGroupDevDepNames(this.manifest.tool?.poetry.group)
+    const groupDevDepsProperty = this.manifest.tool?.poetry?.group
+      ? this.getGroupDevDepNames(this.manifest.tool?.poetry?.group)
       : [];
 
     return [
diff --git a/test/fixtures/v2/scenarios/group-extras-no-dev/poetry.lock b/test/fixtures/v2/scenarios/group-extras-no-dev/poetry.lock
diff --git a/test/fixtures/v2/scenarios/group-extras-no-dev/pyproject.toml b/test/fixtures/v2/scenarios/group-extras-no-dev/pyproject.toml
@@ -0,0 +1,22 @@
+[project]
+name = "myPkg"
+version = "1.42.2"
+description = ""
+authors = [
+    {name = "Your Name",email = "you@example.com"}
+]
+readme = "README.md"
+requires-python = ">=3.11"
+dependencies = [
+    "six (>=1.17.0,<2.0.0)"
+]
+
+
+[build-system]
+requires = ["poetry-core>=2.0.0,<3.0.0"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.poetry.group.extras.dependencies]
+plotly = "^5.17.0"
+
+
diff --git a/test/poetry-v2.test.ts b/test/poetry-v2.test.ts
@@ -295,6 +295,26 @@ describe('buildDepGraph', () => {
     ).equals(expectedGraph);
     expect(isEqual).toBe(true);
   });
+
+  it('should not crash when group.extras exists but group.dev does not', () => {
+    const includeDevDependencies = true;
+    const expectedGraph = depGraphBuilder
+      .addPkgNode({ name: 'six', version: '1.17.0' }, 'six', {
+        labels: { scope: 'prod' },
+      })
+      .connectDep(depGraphBuilder.rootNodeId, 'six')
+      .addPkgNode({ name: 'plotly', version: '5.17.0' }, 'plotly', {
+        labels: { scope: 'dev' },
+      })
+      .connectDep(depGraphBuilder.rootNodeId, 'plotly')
+      .build();
+
+    const isEqual = depGraphForScenarioAt(
+      'fixtures/v2/scenarios/group-extras-no-dev',
+      includeDevDependencies,
+    ).equals(expectedGraph);
+    expect(isEqual).toBe(true);
+  });
 });
 
 function depGraphForScenarioAt(
