Skip to content

fix: add version field to internal workspace packages to enable ORT analyzer#1959

Open
willebra wants to merge 1 commit intodoubleopen-io:mainfrom
willebra:fix/ort-npm-workspace-versions
Open

fix: add version field to internal workspace packages to enable ORT analyzer#1959
willebra wants to merge 1 commit intodoubleopen-io:mainfrom
willebra:fix/ort-npm-workspace-versions

Conversation

@willebra
Copy link
Copy Markdown
Member

@willebra willebra commented Apr 22, 2026

Summary

  • Adds "version": "0.0.0" to the five internal workspace packages that had no version field: common-helpers, database, s3-helpers, spdx-validation, validation-helpers

Why

ORT's NPM analyzer builds package identifiers as NPM::<name>:<version>. Without a version field the identifier
becomes e.g. NPM::common-helpers: (empty version), which ORT cannot match to any resolved package — causing the
analyzer job to fail entirely with:

The following references do not actually refer to packages: 'NPM::common-helpers:', 'NPM::database:', 'NPM::s3-helpers:', 'NPM::spdx-validation:', 'NPM::validation-helpers:'

0.0.0 is the standard convention for private, unpublished monorepo packages. Since none of these are published to a registry, the version value is arbitrary — ORT just needs it to be non-empty.

Verification

Fix was validated by re-running ORT analysis against this branch. The analyzer completed successfully with no recurrence of the missing-package-reference error.

@willebra willebra requested a review from a team as a code owner April 22, 2026 11:18
@willebra willebra temporarily deployed to unittest-environment April 22, 2026 11:18 — with GitHub Actions Inactive
@willebra
Copy link
Copy Markdown
Member Author

willebra commented Apr 22, 2026

I guess the playwright test fails due to no access to some secrets on my end.

@sschuberth
Copy link
Copy Markdown
Member

sschuberth commented Apr 22, 2026
edited
Loading

The following references do not actually refer to packages:

Actually, I don't believe that adding a (dummy) version will help us getting rid of that issue. Instead, we should wait for an ORT release that includes oss-review-toolkit/ort#11704 and upgrade the ORT Server to it, and rerun the analysis. Also see oss-review-toolkit/ort#9699.

@willebra
Copy link
Copy Markdown
Member Author

willebra commented Apr 22, 2026

See: https://compliance.doubleopen.io/organizations/75/products/81/repositories/495/runs/2

@sschuberth
Copy link
Copy Markdown
Member

sschuberth commented Apr 24, 2026

See: https://compliance.doubleopen.io/organizations/75/products/81/repositories/495/runs/2

Interesting, that's somewhat unexpected. Let's be clear on that: There's nothing wrong with omitting the version for unpublished projects. So specifying the version works around a bug in ORT, and ideally it should be fixed in ORT.

@sschuberth sschuberth mentioned this pull request Apr 24, 2026
Open
@willebra
Copy link
Copy Markdown
Member Author

willebra commented Apr 25, 2026

I think the stregth in this AI agent fixing approach is twofold: first it finds quick fixes for users who are not analyzer experts and second it generates a knowledge base of the fixes, enabling fixing bugs and other analyzer improvements.

@sschuberth
Copy link
Copy Markdown
Member

sschuberth commented Apr 27, 2026

What's the reason for not adding version also to the remaining packages/tsconfig/package.json?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@willebra @sschuberth