Dependencycheck: Add support for npm-shrinkwrap.json files
In writing documentation for the new Node.js analyzer, I added a link to nsp. Reading that page, I noticed that nsp also handles a thing called a NPM shrinkwrap file, which seems akin to a Ruby Bundler Gemfile.lock file. It might be straightforward to extend D-C analysis to these files.
dwvisser
All 4 comments
@jeremylong Any sign of shrinkwrap being supported? When DependencyCheck finds vulnerabilities in nested dependencies the only course of action in npm is to override them with shrinkwrap. (Unless you have come across another way?) Currently DependencyCheck doesn't support shrinkwraps and therefore continues to fail the tests. This is huge, and a major blocker to continued usage of DependencyCheck.
paulbrittain
on 4 Dec 2017
This was recently merged into the master branch (see https://github.com/jeremylong/DependencyCheck/pull/1006). We have not yet performed a release with this update yet; I'm hoping in about 1 week.
jeremylong
on 4 Dec 2017
Great work, looking forward to the release! Thank you.
paulbrittain
on 4 Dec 2017
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 27 Sep 2018
Related issues
mikehalmamoj
路
4Comments
RaghunathE
路
3Comments
jkrusic19
路
3Comments
chadlwilson
路
3Comments
Stephan202
路
3Comments
Most helpful comment
This was recently merged into the master branch (see https://github.com/jeremylong/DependencyCheck/pull/1006). We have not yet performed a release with this update yet; I'm hoping in about 1 week.