NodeJS

The NodeJS analyser is triggered when in any of the folders of the project one among these manifest files is found:

1. a “package-lock.json”

2. a “packages.json”

3. a “yarn.lock”

4. a “pnpm-lock.yaml”

5. an orphan node_modules folder (normally disabled)

In case 1, 3 and 4 the client will trust the contents of the lock file and will collect the dependencies directly from there. In this case, it's important that the information is up to date, otherwise the client will collect stale data that will most probably lead to a wrong analysis: if you are in doubt please re-generate such files.

In case 2 the client will use the local npm tool: it will first execute an “install” command, to make sure that the dependencies are correctly present, and then it will ask npm to generate the dependency tree. For this reason, the project has to build successfully.

Excluding specific npm folders

In order to avoid the client to look into specific subfolders (by default it won't look into folders named "lib", "examples", "samples" and of course "node_modules), you can add this parameter to the invocation:

--flags:npm.folders.excluded=foo,bar,baz

You can also use the standard mechanism to exclude folders, both are available.

Processing only the root folder

In order to avoid the client to look into any subfolder and, instead, search only in the root folder you can add this parameter to the invocation:

--flags:npm.root.only=true

Tool requirements

When using the thin client, the required tools will have to be installed and configured (Npm). This is not required when using the dockerized client.

Scanning orphan node_modules folder

Sometimes NodeJS assets are simply copied in a build in an "orphaned" state: only the node_modules folder is present, with no manifest files declaring what's inside. In this situation, you can specify the parameter --process-nodemodules and the scanner will ingest all the information of any orphaned folder. Only if this flag is not specified, this specific scanning is executed.