fix: relative file path

[mihaibuzgau]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages are release-note ready, emphasizing what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

This is a cherry pick from #6814. All credit for the work goes to neema-beglou-snyk.

What does this PR do?

Fixes incorrect file path normalisation in printDepGraphError. Previously, path.relative(root, targetFile) was called with a relative targetFile, which resolves against the current working directory instead of the project root. This produced incorrect paths in error output (e.g. ../../subdir/package.json instead of subdir/package.json).

The fix anchors the target file to root first using path.resolve(root, targetFile) before computing the relative path, ensuring correct behaviour for both relative and absolute targetFile values.

Where should the reviewer start?

src/lib/snyk-test/common.ts — the two-line change in printDepGraphError.

How should this be manually tested?

Run snyk test --all-projects --print-effective-graph-with-errors on a project with nested subdirectories that contain failing scans. Verify that the normalisedTargetFile in the JSONL error output shows a correct relative path from the project root (e.g. subdir/package.json), not an incorrectly resolved path.

What's the product update that needs to be communicated to CLI users?

Fixed a bug where error output from --print-effective-graph-with-errors could display incorrect file paths for failed project scans in multi-project workspaces.

Risk assessment (Low | Medium | High)?

Low — the change is a two-line fix scoped to error output path normalisation, with no impact on scan logic or results.

What are the relevant tickets?

CSENG-200

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mihaibuzgau]

cc @neema-beglou-snyk

[github-actions]

	Warnings
⚠️	"fix: resolve relative path normalisation in printDepGraphError[CSENG-200]" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against f0eb4d0

[CatalinSnyk]

Hey @mihaibuzgau, I disabled auto-merge to get #6803 in first. I can look to rebase and get this PR merge after 😄 Hope you don't mind

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ No major issues detected

📚 Repository Context Analyzed This review considered 6 relevant code sections from 6 files (average relevance: 0.97) packages/snyk-fix/src/types.ts (lines 1-251) src/cli/commands/fix/index.ts (lines 1-204) src/cli/main.ts (lines 1-236) dangerfile.js (lines 1-111) cliv2/cmd/cliv2/errorhandling.go (lines 1-110) src/lib/snyk-test/common.ts (lines 1-270)