Report without devDependencies

[githubhs17]

For my understanding the Node.js Analyzer in conjunction with the Node Audit Analyzer inspects the package-lock.json. And the package-lock.json always includes the devDependencies.
The dependency-check-report.html reflects this and is including all dependencies.

• On a clean environment (no npm command before, no package-lock.json available) I did an npm install --production
• As expected ;-) only the production dependencies are installed, but
• The package-lock.json was created with all dependencies (prod and dev)
• I run an OWASP/DC scan
• The reports shows also all dependencies (prod and dev)

Now my question: Is there a optional parameter/possibility to avoid the inclusion of the devDependencies in the report ? The devDependencies in the package-lock.json shows "dev": true,, the production dependencies have no "dev" entry.

[jeremylong]

At the moment no. Everything in the package-lock.json is analyzed.

[kessenich]

With npm release v6.10.0 it is possible to exclude dev dependencies from npm audit. Maybe it can be included in the dependency check.

For more information see the /~https://github.com/npm/cli/releases/tag/v6.10.0 -> npm/cli#202