ffluegel

Results 3 comments of ffluegel

Dependency check does not scan the package-lock.json for Typescript projects even if it says it does when the node_modules haven't been installed.

I also noticed that "Node Audit Analyzer" doesn't work with certain package-lock.json files. There's no error, but the report shows "Dependencies Scanned: 0". Whenever it happens, I can see the...

Dependency check does not scan the package-lock.json for Typescript projects even if it says it does when the node_modules haven't been installed.

You can use this repo to test it: https://github.com/lerna/lerna/tree/main `npm audit` says: ``` # npm audit report ejs =0.0.2 Depends on vulnerable versions of express node_modules/verdaccio-audit 5 moderate severity vulnerabilities...

Dependency check does not scan the package-lock.json for Typescript projects even if it says it does when the node_modules haven't been installed.

It turns out that it's not an issue with dependency-check and related to lockfileVersion 3 and the "legacy" [Quick Audit Endpoint](https://docs.npmjs.com/cli/v10/commands/npm-audit#quick-audit-endpoint). This old endpoint (used by dependency-check) doesn't work with...