Node.js¶
Trivy supports four types of Node.js package managers: npm
, Yarn
, pnpm
and Bun
1.
The following scanners are supported.
Artifact | SBOM | Vulnerability | License |
---|---|---|---|
npm | ✓ | ✓ | ✓ |
Yarn | ✓ | ✓ | ✓ |
pnpm | ✓ | ✓ | ✓ |
Bun | ✓ | ✓ | ✓ |
The following table provides an outline of the features Trivy offers.
Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
---|---|---|---|---|---|
npm | package-lock.json | ✓ | Excluded | ✓ | ✓ |
Yarn | yarn.lock | ✓ | Excluded | ✓ | ✓ |
pnpm | pnpm-lock.yaml | ✓ | Excluded | ✓ | - |
Bun | yarn.lock | ✓ | Excluded | ✓ | ✓ |
In addition, Trivy scans installed packages with package.json
.
File | Dependency graph | Position | License |
---|---|---|---|
package.json | - | - | ✅ |
These may be enabled or disabled depending on the target. See here for the detail.
Package managers¶
Trivy parses your files generated by package managers in filesystem/repository scanning.
Tip
Please make sure your lock file is up-to-date after modifying package.json
.
npm¶
Trivy parses package-lock.json
.
To identify licenses, you need to download dependencies to node_modules
beforehand.
Trivy analyzes node_modules
for licenses.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps
flag to include them.
Yarn¶
Trivy parses yarn.lock
, which doesn't contain information about development dependencies.
Trivy also uses package.json
file to handle aliases.
To exclude devDependencies and allow aliases, package.json
also needs to be present next to yarn.lock
.
Trivy analyzes .yarn
(Yarn 2+) or node_modules
(Yarn Classic) folder next to the yarn.lock file to detect licenses.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps
flag to include them.
pnpm¶
Trivy parses pnpm-lock.yaml
, then finds production dependencies and builds a tree of dependencies with vulnerabilities.
To identify licenses, you need to download dependencies to node_modules
beforehand. Trivy analyzes node_modules
for licenses.
lock file v9 version¶
Trivy supports Dev
field for pnpm-lock.yaml
v9 or later. Use the --include-dev-deps
flag to include the developer's dependencies in the result.
Bun¶
Trivy supports scanning yarn.lock
files generated by Bun. You can use the command bun install -y
to generate a Yarn-compatible yarn.lock
.
Note
bun.lockb
is not supported.
Packages¶
Trivy parses the manifest files of installed packages in container image scanning and so on.
package.json¶
Trivy searches for package.json
files under node_modules
and identifies installed packages.
It only extracts package names, versions and licenses for those packages.