fix: handle peerDependencies and optionalDependencies consistently across JS providers

JavaScript providers (npm, pnpm, yarn classic, yarn berry) produced inconsistent
dependency analysis results when package.json contains peerDependencies,
optionalDependencies, and devDependencies.

- pnpm: lodash (optionalDependency) was missing because pnpm outputs optional
  deps under a separate "optionalDependencies" key, but addDependenciesToSbom
  and getRootDependencies only read the "dependencies" key.
- Yarn Berry: devDependencies were included in the scan because yarn info has
  no --prod flag and the processor did not filter at root level.
- Yarn Classic: lodash was missing because Manifest.loadDependencies only read
  the "dependencies" key, causing the filter in addDependenciesToSbom to exclude it.
- All yarn providers: minimist (peerDependency) was missing because yarn does not
  include peer deps in its output, and no backfill mechanism existed.

Fixes applied (matching trustify-da-javascript-client approach):
- Manifest: loadDependencies now includes optionalDependencies and peerDependencies
  names. Added peerDependencies and optionalDependencies as Map<String, String> fields.
- JavaScriptProvider: addDependenciesToSbom and getRootDependencies now also read
  the "optionalDependencies" key from dep tree output. Added ensurePeerAndOptionalDeps
  to backfill missing peer/optional deps using declared versions from package.json.
- YarnBerryProcessor: addDependenciesToSbom now filters root node dependencies to
  only include production deps (those in manifest.dependencies).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: soul2zimate

src/main/java/io/github/guacsec/trustifyda/providers/JavaScriptProvider.java

@@ -159,12 +159,18 @@ private Sbom getDependencySbom() throws IOException {
     var sbom = SbomFactory.newInstance();
     sbom.addRoot(manifest.root, readLicenseFromManifest());
     addDependenciesToSbom(sbom, depTree);
+    ensurePeerAndOptionalDeps(sbom);
     sbom.filterIgnoredDeps(manifest.ignored);
     return sbom;
   }
 
   protected void addDependenciesToSbom(Sbom sbom, JsonNode depTree) {
-    var deps = depTree.get("dependencies");
+    addDependenciesFromKey(sbom, depTree, "dependencies");
+    addDependenciesFromKey(sbom, depTree, "optionalDependencies");
+  }
+
+  private void addDependenciesFromKey(Sbom sbom, JsonNode depTree, String key) {
+    var deps = depTree.get(key);
     if (deps == null) {
       return;
     }
@@ -187,6 +193,7 @@ private Sbom getDirectDependencySbom() throws IOException {
         .filter(e -> manifest.dependencies.contains(e.getKey()))
         .map(Entry::getValue)
         .forEach(p -> sbom.addDependency(manifest.root, p, null));
+    ensurePeerAndOptionalDeps(sbom);
     sbom.filterIgnoredDeps(manifest.ignored);
     return sbom;
   }
@@ -195,9 +202,18 @@ private Sbom getDirectDependencySbom() throws IOException {
   // axios -> pkg:npm/axios@0.19.2
   protected Map<String, PackageURL> getRootDependencies(JsonNode depTree) {
     Map<String, PackageURL> direct = new TreeMap<>();
-    depTree
-        .get("dependencies")
-        .fields()
+    addRootDependenciesFromKey(direct, depTree, "dependencies");
+    addRootDependenciesFromKey(direct, depTree, "optionalDependencies");
+    return direct;
+  }
+
+  private void addRootDependenciesFromKey(
+      Map<String, PackageURL> direct, JsonNode depTree, String key) {
+    var node = depTree.get(key);
+    if (node == null) {
+      return;
+    }
+    node.fields()
         .forEachRemaining(
             e -> {
               String name = e.getKey();
@@ -208,7 +224,21 @@ protected Map<String, PackageURL> getRootDependencies(JsonNode depTree) {
                 direct.put(name, purl);
               }
             });
-    return direct;
+  }
+
+  private void ensurePeerAndOptionalDeps(Sbom sbom) {
+    var rootComponent = sbom.getRoot();
+    var depSources = new Map[] {manifest.peerDependencies, manifest.optionalDependencies};
+    for (var source : depSources) {
+      @SuppressWarnings("unchecked")
+      Map<String, String> deps = source;
+      deps.forEach(
+          (name, version) -> {
+            if (!sbom.checkIfPackageInsideDependsOnList(rootComponent, name)) {
+              sbom.addDependency(manifest.root, toPurl(name, version), null);
+            }
+          });
+    }
   }
 
   protected JsonNode buildDependencyTree(boolean includeTransitive) throws JsonProcessingException {

src/main/java/io/github/guacsec/trustifyda/providers/YarnBerryProcessor.java

@@ -24,6 +24,7 @@
 import io.github.guacsec.trustifyda.tools.Operations;
 import java.nio.file.Path;
 import java.util.Map;
+import java.util.Set;
 import java.util.TreeMap;
 import java.util.regex.Pattern;
 
@@ -108,23 +109,38 @@ void addDependenciesToSbom(Sbom sbom, JsonNode depTree) {
     if (depTree == null) {
       return;
     }
+    Set<String> prodDeps = manifest.dependencies;
     depTree.forEach(
         n -> {
           var depName = n.get("value").asText();
-          var from = isRoot(depName) ? sbom.getRoot() : purlFromNode(depName, n);
+          var isRootNode = isRoot(depName);
+          var from = isRootNode ? sbom.getRoot() : purlFromNode(depName, n);
           var deps = (ArrayNode) n.get("children").get("Dependencies");
           if (deps != null && !deps.isEmpty()) {
             deps.forEach(
                 d -> {
                   var target = purlFromlocator(d.get("locator").asText());
                   if (target != null) {
+                    // For root node, only include production dependencies
+                    if (isRootNode) {
+                      var fullName = purlToFullName(target);
+                      if (!prodDeps.contains(fullName)) {
+                        return;
+                      }
+                    }
                     sbom.addDependency(from, target, null);
                   }
                 });
           }
         });
   }
 
+  private static String purlToFullName(PackageURL purl) {
+    return purl.getNamespace() != null
+        ? purl.getNamespace() + "/" + purl.getName()
+        : purl.getName();
+  }
+
   private PackageURL purlFromlocator(String locator) {
     if (locator == null) return null;
     var matcher = LOCATOR_PATTERN.matcher(locator);

src/main/java/io/github/guacsec/trustifyda/providers/javascript/model/Manifest.java

@@ -25,7 +25,9 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 
 public class Manifest {
@@ -35,6 +37,8 @@ public class Manifest {
   public final String license;
   public final PackageURL root;
   public final Set<String> dependencies;
+  public final Map<String, String> peerDependencies;
+  public final Map<String, String> optionalDependencies;
   public final Set<String> ignored;
   public final Path path;
 
@@ -45,6 +49,8 @@ public Manifest(Path manifestPath) throws IOException {
     }
     var content = loadManifest(manifestPath);
     this.dependencies = loadDependencies(content);
+    this.peerDependencies = loadDependencyMap(content, "peerDependencies");
+    this.optionalDependencies = loadDependencyMap(content, "optionalDependencies");
     this.name = content.get("name").asText();
     this.version = content.get("version").asText();
     this.license = loadLicense(content);
@@ -63,12 +69,29 @@ private JsonNode loadManifest(Path manifestPath) throws IOException {
 
   private Set<String> loadDependencies(JsonNode content) {
     var names = new HashSet<String>();
-    if (content != null && content.has("dependencies")) {
-      content.get("dependencies").fieldNames().forEachRemaining(names::add);
+    if (content != null) {
+      addFieldNames(names, content, "dependencies");
+      addFieldNames(names, content, "optionalDependencies");
+      addFieldNames(names, content, "peerDependencies");
     }
     return Collections.unmodifiableSet(names);
   }
 
+  private void addFieldNames(Set<String> names, JsonNode content, String field) {
+    if (content.has(field)) {
+      content.get(field).fieldNames().forEachRemaining(names::add);
+    }
+  }
+
+  private Map<String, String> loadDependencyMap(JsonNode content, String field) {
+    if (content == null || !content.has(field)) {
+      return Collections.emptyMap();
+    }
+    var map = new HashMap<String, String>();
+    content.get(field).fields().forEachRemaining(e -> map.put(e.getKey(), e.getValue().asText()));
+    return Collections.unmodifiableMap(map);
+  }
+
   private String loadLicense(JsonNode content) {
     if (content == null) {
       return null;

src/test/java/io/github/guacsec/trustifyda/providers/Javascript_Provider_Test.java

@@ -45,7 +45,7 @@ class Javascript_Provider_Test extends ExhortTest {
   // - package.json: the target manifest for testing
   // - expected_sbom.json: the SBOM expected to be provided
   static Stream<String> testFolders() {
-    return Stream.of("deps_with_ignore", "deps_with_no_ignore");
+    return Stream.of("deps_with_ignore", "deps_with_no_ignore", "deps_with_mixed_dep_types");
   }
 
   static Stream<String> providers() {

src/test/java/io/github/guacsec/trustifyda/providers/ManifestTest.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2023-2025 Trustify Dependency Analytics Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.github.guacsec.trustifyda.providers;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import io.github.guacsec.trustifyda.ExhortTest;
+import io.github.guacsec.trustifyda.providers.javascript.model.Manifest;
+import java.io.IOException;
+import java.util.Map;
+import org.junit.jupiter.api.Test;
+
+class ManifestTest extends ExhortTest {
+
+  @Test
+  void loads_manifest_with_mixed_dependency_types() throws IOException {
+    var manifestPath = resolveFile("tst_manifests/npm/deps_with_mixed_dep_types/package.json");
+    var m = new Manifest(manifestPath);
+
+    assertThat(m.name).isEqualTo("mixed-deps-test");
+    assertThat(m.version).isEqualTo("1.0.0");
+
+    // dependencies should include deps, peerDeps, and optionalDeps but NOT devDeps
+    assertThat(m.dependencies).containsExactlyInAnyOrder("express", "axios", "minimist", "lodash");
+    assertThat(m.dependencies).doesNotContain("jest", "eslint");
+
+    // peerDependencies and optionalDependencies maps
+    assertThat(m.peerDependencies).isEqualTo(Map.of("minimist", "1.2.0"));
+    assertThat(m.optionalDependencies).isEqualTo(Map.of("lodash", "4.17.19"));
+
+    assertThat(m.ignored).isEmpty();
+  }
+}

src/test/resources/tst_manifests/npm/common/deps_with_mixed_dep_types/expected_component_sbom.json

@@ -0,0 +1,72 @@
+{
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.4",
+  "version" : 1,
+  "metadata" : {
+    "timestamp" : "2026-04-03T03:12:24Z",
+    "component" : {
+      "type" : "application",
+      "bom-ref" : "pkg:npm/mixed-deps-test@1.0.0",
+      "name" : "mixed-deps-test",
+      "version" : "1.0.0",
+      "purl" : "pkg:npm/mixed-deps-test@1.0.0"
+    }
+  },
+  "components" : [
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:npm/axios@0.19.0",
+      "name" : "axios",
+      "version" : "0.19.0",
+      "purl" : "pkg:npm/axios@0.19.0"
+    },
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:npm/express@4.17.1",
+      "name" : "express",
+      "version" : "4.17.1",
+      "purl" : "pkg:npm/express@4.17.1"
+    },
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:npm/lodash@4.17.19",
+      "name" : "lodash",
+      "version" : "4.17.19",
+      "purl" : "pkg:npm/lodash@4.17.19"
+    },
+    {
+      "type" : "library",
+      "bom-ref" : "pkg:npm/minimist@1.2.0",
+      "name" : "minimist",
+      "version" : "1.2.0",
+      "purl" : "pkg:npm/minimist@1.2.0"
+    }
+  ],
+  "dependencies" : [
+    {
+      "ref" : "pkg:npm/mixed-deps-test@1.0.0",
+      "dependsOn" : [
+        "pkg:npm/axios@0.19.0",
+        "pkg:npm/express@4.17.1",
+        "pkg:npm/lodash@4.17.19",
+        "pkg:npm/minimist@1.2.0"
+      ]
+    },
+    {
+      "ref" : "pkg:npm/axios@0.19.0",
+      "dependsOn" : [ ]
+    },
+    {
+      "ref" : "pkg:npm/express@4.17.1",
+      "dependsOn" : [ ]
+    },
+    {
+      "ref" : "pkg:npm/lodash@4.17.19",
+      "dependsOn" : [ ]
+    },
+    {
+      "ref" : "pkg:npm/minimist@1.2.0",
+      "dependsOn" : [ ]
+    }
+  ]
+}