Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report without devDependencies #1806

Closed
githubhs17 opened this issue Mar 15, 2019 · 2 comments
Closed

Report without devDependencies #1806

githubhs17 opened this issue Mar 15, 2019 · 2 comments
Assignees
@jeremylong
Labels
enhancement
Milestone
5.3.0

Comments

@githubhs17
Copy link

For my understanding the Node.js Analyzer in conjunction with the Node Audit Analyzer inspects the package-lock.json. And the package-lock.json always includes the devDependencies.
The dependency-check-report.html reflects this and is including all dependencies.

  • On a clean environment (no npm command before, no package-lock.json available) I did an npm install --production
  • As expected ;-) only the production dependencies are installed, but
  • The package-lock.json was created with all dependencies (prod and dev)
  • I run an OWASP/DC scan
  • The reports shows also all dependencies (prod and dev)

Now my question: Is there a optional parameter/possibility to avoid the inclusion of the devDependencies in the report ? The devDependencies in the package-lock.json shows "dev": true,, the production dependencies have no "dev" entry.
@jeremylong
Copy link
Owner

At the moment no. Everything in the package-lock.json is analyzed.

@kessenich
Copy link

With npm release v6.10.0 it is possible to exclude dev dependencies from npm audit. Maybe it can be included in the dependency check.

For more information see the /~https://github.com/npm/cli/releases/tag/v6.10.0 -> npm/cli#202

@jeremylong jeremylong self-assigned this Oct 30, 2019
jeremylong added a commit that referenced this issue Dec 8, 2019
@jeremylong
added configuration to skip node devDependencies per #1806
238864a
@jeremylong jeremylong mentioned this issue Dec 8, 2019
Merged
jeremylong added a commit that referenced this issue Dec 10, 2019
@jeremylong
add configuration to skip node devDependencies (#2373)
23fa6e1 
* added configuration to skip node devDependencies per #1806

* updated documentation
@jeremylong jeremylong added this to the 5.2.5 milestone Dec 29, 2019
@lock lock bot locked and limited conversation to collaborators Feb 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jeremylong jeremylong

Labels
enhancement
Projects
None yet
Milestone
5.3.0
Development

No branches or pull requests
3 participants
@jeremylong @kessenich @githubhs17