DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Dev dependency exclusion is not working properly

Open sametr35 opened this issue 1 year ago • 2 comments
trafficstars

Hi,

Even though we scan our JavaScript repository dependencies, excluding dev dependencies, vulnerabilities in dev dependencies are still being reported. We utilize the following configurations in GitHub Actions.

  - name: Generate dependency vulnerability list
    continue-on-error: true
    uses: dependency-check/Dependency-Check_Action@main
    id: depcheck
    with:
      project: 'Project Name'
      path: '.'
      format: 'ALL'
      args: >
        --nodeAuditSkipDevDependencies

Thanks.

sametr35 avatar Mar 14 '24 12:03 sametr35

+up

sametr35 avatar Mar 19 '24 07:03 sametr35

Please see the documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

There are two analyzers that deal with nodeJS. So try:

--nodePackageSkipDevDependencies

Or even:

--disableNodeJS

I might go with the later as the package analyzer needs to be re-written or thrown away.

jeremylong avatar Mar 19 '24 09:03 jeremylong