Allow optional package manifest file name args in config.

[robputt]

Currently the NPM / Yarn plugin uses manifests such as package.json and yarn.lock, however some use cases such as CRA (Create React App) templates store the dependency manifest in an alternative file (templates.json) - an example can be seen here - https://github.com/facebook/create-react-app/blob/master/packages/cra-template/template.json, other than the file name change the structure of the file is the same for the dependencies key. I propose adding an optional argument which can be defined in the YAML config to set an alternative manifest file name to allow for these cases.

[abruzzi]

Hi @robputt796, did you hear back anything about this issue? I'm having the same issue here.

[jeffwidman]

This one is tricky because it's very similar to https://github.com/dependabot/dependabot-core/issues/2883, but slightly different because it's not just a config allow/ignore issue of already known manifests... it's about discovering manifests hiding in unexpected files. Unfortunately, the names of manifests are baked into our code logic in many, many places.

And it'd be hard to just make those file names configurable w/o losing a lot of simplicity... I'm afraid I just don't see us going this route in the foreseeable future, at least not generically for most ecosystems.

The better thing to do is probably open specific issues for specific file types you'd like to see supported. And then we can discuss on a case-by-case basis whether to expand that ecosystem to support that file.

For example, for Github actions, Maven, and Dockerfiles we've expanded over the past year the types of files that we scan. I could also see us doing something like this possibly down the road for certain python ecosystems and a bit more for dockerfiles.

I'm going to close as "wontfix" in the general sense, but please do file issues for the specific use cases you have in mind.