The NodeJS analyser is triggered when in any of the folders of the project one among these manifest files is found:

1. a “package-lock.json”

2. a “packages.json”

3. a “yarn.lock”

4. a “pnpm-lock.yaml”

In case 1, 3 and 4 the client will trust the contents of the lock file and will collect the dependencies directly from there. In this case, it's important that the information is up to date, otherwise the client will collect stale data that will most probably lead to a wrong analysis: if you are in doubt please re-generate such files.

In case 2 the client will use the local npm tool: it will first execute an “install” command, to make sure that the dependencies are correctly present, and then it will ask npm to generate the dependency tree. For this reason, the project has to build successfully.

In order to avoid the client to look into specific subfolders (by default it won't look into folders named "lib", "examples", "samples" and of course "node_modules), you can add this parameter to the invocation:

--flags:npm.folders.excluded=foo,bar,baz

In order to avoid the client to look into any subfolder and, instead, search only in the root folder you can add this parameter to the invocation:

--flags:npm.root.only=true

When using the thin client, the required tools will have to be installed and configured (Npm). This is not required when using the dockerized client.