Node.js

Trivy supports three types of Node.js package managers: npm, Yarn and pnpm.

The following scanners are supported.

Artifact	SBOM	Vulnerability	License
npm	✓	✓	✓
Yarn	✓	✓	-
pnpm	✓	✓	-

The following table provides an outline of the features Trivy offers.

Package manager	File	Transitive dependencies	Dev dependencies	Dependency graph	Position
npm	package-lock.json	✓	Excluded	✓	✓
Yarn	yarn.lock	✓	Excluded	✓	✓
pnpm	pnpm-lock.yaml	✓	Excluded	✓	-

In addition, Trivy scans installed packages with package.json.

File	Dependency graph	Position	License
package.json	-	-	✅

These may be enabled or disabled depending on the target. See here for the detail.

Package managers

Trivy parses your files generated by package managers in filesystem/repository scanning.

Tip

Please make sure your lock file is up-to-date after modifying package.json.

npm

Trivy parses package-lock.json. To identify licenses, you need to download dependencies to node_modules beforehand. Trivy analyzes node_modules for licenses.

By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.

Yarn

Trivy parses yarn.lock, which doesn't contain information about development dependencies. To exclude devDependencies, package.json also needs to be present next to yarn.lock. Trivy analyzes .yarn (Yarn 2+) or node_modules (Yarn Classic) folder next to the yarn.lock file to detect licenses.

By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.

pnpm

Trivy parses pnpm-lock.yaml, then finds production dependencies and builds a tree of dependencies with vulnerabilities.

Packages

Trivy parses the manifest files of installed packages in container image scanning and so on.

package.json

Trivy searches for package.json files under node_modules and identifies installed packages. It only extracts package names, versions and licenses for those packages.