Dependencycheck: Report without devDependencies

Created on 15 Mar 2019  路  2Comments  路  Source: jeremylong/DependencyCheck

For my understanding the Node.js Analyzer in conjunction with the Node Audit Analyzer inspects the package-lock.json. And the package-lock.json always includes the devDependencies.
The dependency-check-report.html reflects this and is including all dependencies.

  • On a clean environment (no npm command before, no package-lock.json available) I did an npm install --production
  • As expected ;-) only the production dependencies are installed, but
  • The package-lock.json was created with all dependencies (prod and dev)
  • I run an OWASP/DC scan
  • The reports shows also all dependencies (prod and dev)

Now my question: Is there a optional parameter/possibility to avoid the inclusion of the devDependencies in the report ? The devDependencies in the package-lock.json shows "dev": true,, the production dependencies have no "dev" entry.

enhancement
Source
picture githubhs17
👍2

Most helpful comment

With npm release v6.10.0 it is possible to exclude dev dependencies from npm audit. Maybe it can be included in the dependency check.

For more information see the https://github.com/npm/cli/releases/tag/v6.10.0 -> https://github.com/npm/cli/pull/202

picture kessenich on 19 Jul 2019
👍6

All 2 comments

At the moment no. Everything in the package-lock.json is analyzed.

jeremylong picture jeremylong on 27 Apr 2019

With npm release v6.10.0 it is possible to exclude dev dependencies from npm audit. Maybe it can be included in the dependency check.

For more information see the https://github.com/npm/cli/releases/tag/v6.10.0 -> https://github.com/npm/cli/pull/202

kessenich picture kessenich on 19 Jul 2019
👍6
Was this page helpful?
0 / 5 - 0 ratings

Related issues

maartengo picture maartengo  路  23Comments
emartynov picture emartynov  路  24Comments
meselfi picture meselfi  路  40Comments
MMirabito picture MMirabito  路  27Comments
javixeneize picture javixeneize  路  14Comments