The NodeJS analyser is triggered when in any of the folders of the project one among these manifest files is found:

  1. a “package-lock.json”

  2. a “packages.json”

  3. a “yarn.lock”

  4. a “pnpm-lock.yaml”

In case 1, 3 and 4 the client will trust the contents of the lock file and will collect the dependencies directly from there. In this case, it's important that the information is up to date, otherwise the client will collect stale data that will most probably lead to a wrong analysis: if you are in doubt please re-generate such files.

In case 2 the client will use the local npm tool: it will first execute an “install” command, to make sure that the dependencies are correctly present, and then it will ask npm to generate the dependency tree. For this reason, the project has to build successfully.

In order to avoid the client to look into specific subfolders (by default it won't look into folders named "lib", "examples", "samples" and of course "node_modules), you can add this parameter to the invocation:


In order to avoid the client to look into any subfolder and, instead, search only in the root folder you can add this parameter to the invocation:


When using the thin client, the required tools will have to be installed and configured (Npm). This is not required when using the dockerized client.

When using the dockerized client via the meterian-docker script note that as a result of the global node modules cache directory being mapped into the container by default the version of npm that is installed on the host machine will be employed for the scan should you happen to have it installed.

Last updated