osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

Option to flag bundled dependencies?

Open sarnesjo opened this issue 2 years ago • 2 comments

In npm, dependencies (including indirect dependencies) may be bundled, meaning they are included in the published package tarball. A bundled dependency may be modified compared to the version that exists in the registry. (We've seen examples of this while working on deps.dev.)

npm marks bundled dependencies in the package-lock.json file, using either an inBundle or bundled field depending on version. Currently, osv-scanner does not read these fields, and therefore does not report whether a dependency is bundled or not.

It'd be neat if osv-scanner could optionally flag bundled dependencies, as they may require further scrutiny, especially once osv-scanner reports issues besides vulnerabilities, for example licenses as mentioned in #477.

sarnesjo avatar Aug 11 '23 04:08 sarnesjo

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] avatar Jul 21 '24 18:07 github-actions[bot]

Automatically closing stale issue

github-actions[bot] avatar Aug 04 '24 19:08 github-actions[bot]