Skip to content

Node.js

Trivy supports four types of Node.js package managers: npm, Yarn, pnpm and Bun1.

The following scanners are supported.

Artifact SBOM Vulnerability License
npm
Yarn
pnpm
Bun

The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position
npm package-lock.json Excluded
Yarn yarn.lock Excluded
pnpm pnpm-lock.yaml Excluded -
Bun yarn.lock Excluded

In addition, Trivy scans installed packages with package.json.

File Dependency graph Position License
package.json - -

These may be enabled or disabled depending on the target. See here for the detail.

Package managers

Trivy parses your files generated by package managers in filesystem/repository scanning.

Tip

Please make sure your lock file is up-to-date after modifying package.json.

npm

Trivy parses package-lock.json. To identify licenses, you need to download dependencies to node_modules beforehand. Trivy analyzes node_modules for licenses.

By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.

Yarn

Trivy parses yarn.lock.

Trivy also analyzes additional files to gather more information about the detected dependencies.

  • package.json
  • node_modules/**

Package relationships

yarn.lock files don't contain information about package relationships, such as direct or indirect dependencies. To enrich this information, Trivy parses the package.json file located next to the yarn.lock file as well as workspace package.json files.

By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them in the results.

Development dependencies

yarn.lock files don't contain information about package groups, such as production and development dependencies. To identify dev dependencies and support aliases, Trivy parses the package.json file located next to the yarn.lock file as well as workspace package.json files.

Licenses

Trivy analyzes the .yarn directory (for Yarn 2+) or the node_modules directory (for Yarn Classic) located next to the yarn.lock file to detect licenses.

pnpm

Trivy parses pnpm-lock.yaml, then finds production dependencies and builds a tree of dependencies with vulnerabilities. To identify licenses, you need to download dependencies to node_modules beforehand. Trivy analyzes node_modules for licenses.

lock file v9 version

Trivy supports Dev field for pnpm-lock.yaml v9 or later. Use the --include-dev-deps flag to include the developer's dependencies in the result.

Bun

Trivy supports scanning yarn.lock files generated by Bun. You can use the command bun install -y to generate a Yarn-compatible yarn.lock.

Note

bun.lockb is not supported.

Packages

Trivy parses the manifest files of installed packages in container image scanning and so on.

package.json

Trivy searches for package.json files under node_modules and identifies installed packages. It only extracts package names, versions and licenses for those packages.


  1. yarn.lock must be generated