The NodeJS analyser is triggered by two possible conditions:
a “package-lock.json” is found in the root folder
a “packages.json” is found in the root folder
In case 1 the client will trust the contents of the package-lock.json and will collect the dependencies directly from there. In this case it's important that the information is up to date, otherwise, the client will collect stale data that will most probably lead to a wrong analysis: if you are in doubt just delete the file and the client will fall back to the second option.
In case 2 the client will use the local npm tool: it will first execute an “install” command, to make sure that the dependencies are properly present, and then it will ask npm to generate the dependency tree. For this reason, the project has to build successfully