Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Dev flag to yarn.lock parsing #86

Open
dachrillz opened this issue Mar 10, 2022 · 0 comments
Open

Add Dev flag to yarn.lock parsing #86

dachrillz opened this issue Mar 10, 2022 · 0 comments

Comments

@dachrillz
Copy link

Hello! I've been using trivy to do some scanning of Nodejs applications that use yarn. As you are most likely aware there is no way for Trivy to separate between dev dependencies and production dependencies in this case.

I would love it if Trivy could support this. After some digging through the source code I think this repository is the place to start given that it handles the dependency parsing for packages. Also I saw that you already thought about this thanks to the following todo in yarn/parse.go:

type Dependency struct {
	Version string
	// TODO : currently yarn can't recognize Dev flag.
	// That need to parse package.json for Dev flag
	Dev          bool
	Dependencies map[string]Dependency
}

I guess the only way to support the Dev flag is to include the package.json and compare it to the yarn.lock?

Is this something that sounds reasonable to you?

Thank you for your time! :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dachrillz