gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs(nodejs): add info about supported versions of pnpm lock files (#6510)

Browse Source
This commit is contained in:
DmitriyLewen
2024-04-19 13:38:32 +06:00
committed by GitHub
parent 12ec0dfe9e
commit 95c8fd912e
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/docs/coverage/language/nodejs.md
View File

@@ -55,6 +55,9 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
### pnpm
Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
!!! note
Trivy currently only supports Lockfile [v6][pnpm-lockfile-v6] or earlier.
### Bun
Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
@@ -69,5 +72,6 @@ Trivy searches for `package.json` files under `node_modules` and identifies inst
It only extracts package names, versions and licenses for those packages.
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md
[^1]: [yarn.lock](#bun) must be generated