syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

pnpm devDependencies are included in SBOM by default

Open jayvdb opened this issue 7 months ago • 0 comments

If I understand correctly from https://github.com/anchore/syft/issues/2348 and https://github.com/anchore/syft/pull/3371 , depDeps are excluded when using package-lock.json . However for pnpm lock files,, I am seeing dev deps output in the SBOM by default.

jayvdb avatar May 19 '25 07:05 jayvdb