🧪 [testing improvement] Add error path tests for package.json in scanner

[miccy]

🎯 What: Added unit tests for the detectInjection logic in packages/scanner/src/scan.ts to cover error handling when package.json is missing or invalid.

📊 Coverage:

• Missing or unreadable package.json: Verified that the scanner returns empty findings instead of crashing or misreporting.
• Invalid JSON in package.json: Verified that malformed JSON is handled gracefully via the catch block.
• Happy path: Confirmed that the injection detection logic correctly identifies packages present in the lockfile but missing from package.json declarations.

✨ Result: Increased the reliability and coverage of the @worms-ctrl/scanner package by ensuring edge cases in filesystem operations are explicitly tested.

---

PR created automatically by Jules for task 3697063897735141733 started by @miccy

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: eb0c1c35-efcf-4639-9ad2-767329ecf999

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test-scan-injection-error-paths-3697063897735141733

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[miccy]

⚠️ Closing as outdated — tests target a code structure that no longer exists.

What was good about this PR:

• Error path testing for detectInjection (missing/invalid package.json)

Why it can't be merged:

• Tests mock readFileSync in the context of scan.ts, but the current scan.ts no longer uses readFileSync — parsing is fully delegated to parsers/*.ts modules
• detectInjection has been moved from scan.ts to detectors/injection.ts and now uses threat DB matching (getPhantomDependencyMatches, getThreatVersionMatches)
• The mock strategy (mock.module('node:fs')) won't intercept the right module boundaries

The error path coverage idea is valid and should be reimplemented targeting detectors/injection.ts directly.