Node.js¶
Trivy supports four types of Node.js package managers: npm, Yarn, pnpm and Bun1.
The following scanners are supported.
| Artifact | SBOM | Vulnerability | License |
|---|---|---|---|
| npm | ✓ | ✓ | ✓ |
| Yarn | ✓ | ✓ | ✓ |
| pnpm | ✓ | ✓ | ✓ |
| Bun | ✓ | ✓ | ✓ |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
|---|---|---|---|---|---|
| npm | package-lock.json | ✓ | Excluded | ✓ | ✓ |
| Yarn | yarn.lock | ✓ | Excluded | ✓ | ✓ |
| pnpm | pnpm-lock.yaml | ✓ | Excluded | ✓ | - |
| Bun | bun.lock | ✓ | Excluded | ✓ | ✓ |
In addition, Trivy scans installed packages with package.json.
| File | Dependency graph | Position | License |
|---|---|---|---|
| package.json | - | - | ✅ |
These may be enabled or disabled depending on the target. See here for the detail.
Package managers¶
Trivy parses your files generated by package managers in filesystem/repository scanning.
Tip
Please make sure your lock file is up-to-date after modifying package.json.
npm¶
Trivy parses package-lock.json.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
Licenses¶
Trivy retrieves dependency license information from the lock file (starting with v2).
If license information is missing, Trivy analyzes the node_modules directory located next to the package-lock.json file to detect licenses.
If the license field in package.json references an external file (e.g. SEE LICENSE IN LICENSE or LicenseRef-LICENSE), Trivy reads that file to classify the license.
Yarn¶
Trivy parses yarn.lock.
Trivy also analyzes additional files to gather more information about the detected dependencies.
- package.json
- node_modules/**
Package relationships¶
yarn.lock files don't contain information about package relationships, such as direct or indirect dependencies.
To enrich this information, Trivy parses the package.json file located next to the yarn.lock file as well as workspace package.json files.
By default, Trivy doesn't report development dependencies.
Use the --include-dev-deps flag to include them in the results.
Development dependencies¶
yarn.lock files don't contain information about package groups, such as production and development dependencies.
To identify dev dependencies and support aliases, Trivy parses the package.json file located next to the yarn.lock file as well as workspace package.json files.
Licenses¶
Trivy analyzes the .yarn directory (for Yarn 2+) or the node_modules directory (for Yarn Classic) located next to the yarn.lock file to detect licenses.
If the license field in package.json references an external file (e.g. SEE LICENSE IN LICENSE or LicenseRef-LICENSE), Trivy reads that file to classify the license.
pnpm¶
Trivy parses pnpm-lock.yaml, then finds production dependencies and builds a tree of dependencies with vulnerabilities.
lock file v9 version¶
Trivy supports Dev field for pnpm-lock.yaml v9 or later. Use the --include-dev-deps flag to include the developer's dependencies in the result.
Licenses¶
To identify licenses, you need to install dependencies to node_modules beforehand. Trivy analyzes the node_modules directory located next to the pnpm-lock.yaml file to detect licenses.
If the license field in package.json references an external file (e.g. SEE LICENSE IN LICENSE or LicenseRef-LICENSE), Trivy reads that file to classify the license.
Bun¶
Trivy also supports scanning bun.lock file generated by Bun.
You can use Bun v1.2 which uses this file as default or use bun install --save-text-lockfile in Bun v1.1.39 to generate it.
For previous Bun versions you can use the command bun install -y to generate a Yarn-compatible yarn.lock and then scan it with Trivy.
Development dependencies¶
bun.lock contains information about package groups, such as production and development dependencies. By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
Note
bun.lockb is not supported.
Licenses¶
To identify licenses, you need to install dependencies to node_modules beforehand. Trivy analyzes the node_modules directory located next to the bun.lock file to detect licenses.
If the license field in package.json references an external file (e.g. SEE LICENSE IN LICENSE or LicenseRef-LICENSE), Trivy reads that file to classify the license.
Packages¶
Trivy parses the manifest files of installed packages in container image scanning and so on.
package.json¶
Trivy searches for package.json files under node_modules and identifies installed packages.
It only extracts package names, versions and licenses for those packages; the dependencies field is not analyzed.
Note
To detect vulnerabilities in Node.js dependencies within a container image, ensure that node_modules is present in the image,
or use a lock file (package-lock.json, yarn.lock, etc.) with filesystem scanning.