docs/guide/coverage/language/nodejs.md

# Node.js

Trivy supports four types of Node.js package managers: `npm`, `Yarn`, `pnpm` and `Bun`[^1].

The following scanners are supported.

| Artifact | SBOM | Vulnerability | License |
|----------|:----:|:-------------:|:-------:|
| npm      |  ✓   |       ✓       |    ✓    |
| Yarn     |  ✓   |       ✓       |    ✓    |
| pnpm     |  ✓   |       ✓       |    ✓    |
| Bun      |  ✓   |       ✓       |    ✓    |

The following table provides an outline of the features Trivy offers.

| Package manager | File              | Transitive dependencies |         Dev dependencies          | [Dependency graph][dependency-graph] | Position |
|:---------------:|-------------------|:-----------------------:|:---------------------------------:|:------------------------------------:|:--------:|
|       npm       | package-lock.json |            ✓            |         [Excluded](#npm)          |                  ✓                   |    ✓     |
|      Yarn       | yarn.lock         |            ✓            |         [Excluded](#yarn)         |                  ✓                   |    ✓     |
|      pnpm       | pnpm-lock.yaml    |            ✓            | [Excluded](#lock-file-v9-version) |                  ✓                   |    -     |
|       Bun       | bun.lock          |            ✓            |         [Excluded](#bun)          |                  ✓                   |    ✓     |

In addition, Trivy scans installed packages with `package.json`.

| File         | Dependency graph | Position | License |
|--------------|:----------------:|:--------:|:-------:|
| package.json |        -         |    -     |    ✅    |

These may be enabled or disabled depending on the target.
See [here](./index.md) for the detail.

## Package managers
Trivy parses your files generated by package managers in filesystem/repository scanning.

!!! tip
    Please make sure your lock file is up-to-date after modifying `package.json`.

### npm
Trivy parses `package-lock.json`.
To identify licenses, you need to download dependencies to `node_modules` beforehand.
Trivy analyzes `node_modules` for licenses.

By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.

### Yarn
Trivy parses `yarn.lock`.

Trivy also analyzes additional files to gather more information about the detected dependencies.

- package.json
- node_modules/**

#### Package relationships
`yarn.lock` files don't contain information about package relationships, such as direct or indirect dependencies.
To enrich this information, Trivy parses the `package.json` file located next to the `yarn.lock` file as well as workspace `package.json` files.

By default, Trivy doesn't report development dependencies.
Use the `--include-dev-deps` flag to include them in the results.

#### Development dependencies
`yarn.lock` files don't contain information about package groups, such as production and development dependencies.
To identify dev dependencies and support [aliases][yarn-aliases], Trivy parses the `package.json` file located next to the `yarn.lock` file as well as workspace `package.json` files.

#### Licenses
Trivy analyzes the `.yarn` directory (for Yarn 2+) or the `node_modules` directory (for Yarn Classic) located next to the `yarn.lock` file to detect licenses.

### pnpm
Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
To identify licenses, you need to download dependencies to `node_modules` beforehand. Trivy analyzes `node_modules` for licenses.

#### lock file v9 version
Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.

### Bun
Trivy also supports scanning `bun.lock` file generated by [Bun](https://bun.sh/blog/bun-lock-text-lockfile). 
You can use Bun v1.2 which uses this file as default or use `bun install --save-text-lockfile` in Bun v1.1.39 to generate it.

For previous Bun versions you can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock` and then scan it with Trivy.

#### Development dependencies
`bun.lock` contains information about package groups, such as production and development dependencies. By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.

!!! note
    `bun.lockb` is not supported.

## Packages
Trivy parses the manifest files of installed packages in container image scanning and so on.

### package.json
Trivy searches for `package.json` files under `node_modules` and identifies installed packages.
It only extracts package names, versions and licenses for those packages.

[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md
[yarn-aliases]: https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias

[^1]: [yarn.lock](#bun) must be generated
feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00			`# Node.js`

docs: add note about Bun (#6001) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-26 17:52:25 +07:00			Trivy supports four types of Node.js package managers: `npm`, `Yarn`, `pnpm` and `Bun`[^1].
docs: add coverage (#4954) * docs: add coverage * add more pages * add dart, dotnet, elixir languages. * add C, ruby, cocoapods. Update links * rename headers for dart and elixir * docs: add Google Distroless and Photon OS * docs: add IaC * docs: put vulnerability into a single page * fixed broken links * docs: add coverage overview * update some links * add note about arch for Rocky linux * docs: fix typo * fix typo * docs: add footnotes * docs: add a link to coverage in the license section * docs: add a conversion table * docs: get aligned --------- Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2023-08-17 11:00:34 +03:00
			`The following scanners are supported.`

docs: add note about Bun (#6001) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-26 17:52:25 +07:00			`\| Artifact \| SBOM \| Vulnerability \| License \|`
			`\|----------\|:----:\|:-------------:\|:-------:\|`
			`\| npm \| ✓ \| ✓ \| ✓ \|`
			`\| Yarn \| ✓ \| ✓ \| ✓ \|`
feat(nodejs): add license parser to pnpm analyser (#7036) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2024-07-03 14:13:24 +02:00			`\| pnpm \| ✓ \| ✓ \| ✓ \|`
docs: add note about Bun (#6001) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-26 17:52:25 +07:00			`\| Bun \| ✓ \| ✓ \| ✓ \|`
docs: add coverage (#4954) * docs: add coverage * add more pages * add dart, dotnet, elixir languages. * add C, ruby, cocoapods. Update links * rename headers for dart and elixir * docs: add Google Distroless and Photon OS * docs: add IaC * docs: put vulnerability into a single page * fixed broken links * docs: add coverage overview * update some links * add note about arch for Rocky linux * docs: fix typo * fix typo * docs: add footnotes * docs: add a link to coverage in the license section * docs: add a conversion table * docs: get aligned --------- Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2023-08-17 11:00:34 +03:00
feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00			`The following table provides an outline of the features Trivy offers.`

feat(nodejs): add v9 pnpm lock file support (#6617) 2024-05-21 17:23:26 +06:00			`\| Package manager \| File \| Transitive dependencies \| Dev dependencies \| [Dependency graph][dependency-graph] \| Position \|`
			`\|:---------------:\|-------------------\|:-----------------------:\|:---------------------------------:\|:------------------------------------:\|:--------:\|`
			`\| npm \| package-lock.json \| ✓ \| [Excluded](#npm) \| ✓ \| ✓ \|`
			`\| Yarn \| yarn.lock \| ✓ \| [Excluded](#yarn) \| ✓ \| ✓ \|`
			`\| pnpm \| pnpm-lock.yaml \| ✓ \| [Excluded](#lock-file-v9-version) \| ✓ \| - \|`
feat(nodejs): add a bun.lock analyzer (#8897) Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> 2025-05-28 12:44:54 +05:30			`\| Bun \| bun.lock \| ✓ \| [Excluded](#bun) \| ✓ \| ✓ \|`
feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00
			In addition, Trivy scans installed packages with `package.json`.

			`\| File \| Dependency graph \| Position \| License \|`
docs: add note about Bun (#6001) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-26 17:52:25 +07:00			`\|--------------\|:----------------:\|:--------:\|:-------:\|`
feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00			`\| package.json \| - \| - \| ✅ \|`

			`These may be enabled or disabled depending on the target.`
docs: restructure scanners (#3977) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2023-04-17 11:54:31 +03:00			`See [here](./index.md) for the detail.`
feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00
			`## Package managers`
			`Trivy parses your files generated by package managers in filesystem/repository scanning.`

			`!!! tip`
			Please make sure your lock file is up-to-date after modifying `package.json`.

			`### npm`
			Trivy parses `package-lock.json`.
			To identify licenses, you need to download dependencies to `node_modules` beforehand.
			Trivy analyzes `node_modules` for licenses.

feat(cli): add include-dev-deps flag (#4700) * add Dev field for Package * fix integration test * update docs * feat(cli): add include-dev flag * bump go-dep-parser * update docs * add integration test * refactor * refactor * fix integration test * refactor: rename flag to include-dev-deps * update docs * update docs * filter dev deps when scanning packages * add flag support for server mode * refactor: remove comment that might confuse * refactor: move --include-dev-deps to the scanner flag group * refactor: not return apps * docs: update --------- Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-06-29 19:15:52 +06:00			By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.

feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00			`### Yarn`
feat(nodejs): add root and workspace for `yarn` packages (#8535) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2025-04-30 20:49:49 +06:00			Trivy parses `yarn.lock`.
feat(nodejs): add yarn alias support (#5818) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-04 11:16:35 +06:00
feat(nodejs): add root and workspace for `yarn` packages (#8535) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2025-04-30 20:49:49 +06:00			`Trivy also analyzes additional files to gather more information about the detected dependencies.`
feat(nodejs): add yarn alias support (#5818) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-04 11:16:35 +06:00
feat(nodejs): add root and workspace for `yarn` packages (#8535) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2025-04-30 20:49:49 +06:00			`- package.json`
			`- node_modules/**`
feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00
feat(nodejs): add root and workspace for `yarn` packages (#8535) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2025-04-30 20:49:49 +06:00			`#### Package relationships`
			`yarn.lock` files don't contain information about package relationships, such as direct or indirect dependencies.
			To enrich this information, Trivy parses the `package.json` file located next to the `yarn.lock` file as well as workspace `package.json` files.

			`By default, Trivy doesn't report development dependencies.`
			Use the `--include-dev-deps` flag to include them in the results.

			`#### Development dependencies`
			`yarn.lock` files don't contain information about package groups, such as production and development dependencies.
			To identify dev dependencies and support [aliases][yarn-aliases], Trivy parses the `package.json` file located next to the `yarn.lock` file as well as workspace `package.json` files.

			`#### Licenses`
			Trivy analyzes the `.yarn` directory (for Yarn 2+) or the `node_modules` directory (for Yarn Classic) located next to the `yarn.lock` file to detect licenses.
feat(nodejs): add support for include-dev-deps flag for yarn (#4812) * add support for include-dev-deps flag * remove go.mod replace * refactor * bump go-dep-parser --------- Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-07-23 19:07:49 +06:00
feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00			`### pnpm`
docs: add coverage (#4954) * docs: add coverage * add more pages * add dart, dotnet, elixir languages. * add C, ruby, cocoapods. Update links * rename headers for dart and elixir * docs: add Google Distroless and Photon OS * docs: add IaC * docs: put vulnerability into a single page * fixed broken links * docs: add coverage overview * update some links * add note about arch for Rocky linux * docs: fix typo * fix typo * docs: add footnotes * docs: add a link to coverage in the license section * docs: add a conversion table * docs: get aligned --------- Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2023-08-17 11:00:34 +03:00			Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
feat(nodejs): add license parser to pnpm analyser (#7036) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> 2024-07-03 14:13:24 +02:00			To identify licenses, you need to download dependencies to `node_modules` beforehand. Trivy analyzes `node_modules` for licenses.
feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00
feat(nodejs): add v9 pnpm lock file support (#6617) 2024-05-21 17:23:26 +06:00			`#### lock file v9 version`
			Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.
docs(nodejs): add info about supported versions of pnpm lock files (#6510) 2024-04-19 13:38:32 +06:00
docs: add note about Bun (#6001) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-26 17:52:25 +07:00			`### Bun`
feat(nodejs): add a bun.lock analyzer (#8897) Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> 2025-05-28 12:44:54 +05:30			Trivy also supports scanning `bun.lock` file generated by [Bun](https://bun.sh/blog/bun-lock-text-lockfile).
			You can use Bun v1.2 which uses this file as default or use `bun install --save-text-lockfile` in Bun v1.1.39 to generate it.

			For previous Bun versions you can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock` and then scan it with Trivy.

			`#### Development dependencies`
			`bun.lock` contains information about package groups, such as production and development dependencies. By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
docs: add note about Bun (#6001) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-26 17:52:25 +07:00
			`!!! note`
			`bun.lockb` is not supported.

feat(nodejs): parse package.json alongside yarn.lock (#3757) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2023-03-21 23:13:02 +06:00			`## Packages`
			`Trivy parses the manifest files of installed packages in container image scanning and so on.`

			`### package.json`
			Trivy searches for `package.json` files under `node_modules` and identifies installed packages.
			`It only extracts package names, versions and licenses for those packages.`

docs: add note about Bun (#6001) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-26 17:52:25 +07:00			`[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies`
docs(nodejs): add info about supported versions of pnpm lock files (#6510) 2024-04-19 13:38:32 +06:00			`[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md`
feat(nodejs): add root and workspace for `yarn` packages (#8535) Co-authored-by: knqyf263 <knqyf263@gmail.com> 2025-04-30 20:49:49 +06:00			`[yarn-aliases]: https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias`
docs: add note about Bun (#6001) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> 2024-01-26 17:52:25 +07:00
			`[^1]: [yarn.lock](#bun) must be generated`