sdc-check icon indicating copy to clipboard operation
sdc-check copied to clipboard

Support pnpm as package manager

Open mcmxcdev opened this issue 3 years ago • 2 comments

After checking the source code, I realized that only npm and yarn are supported.

I have the feeling that this is a really valuable tool for people which want to be aware of potential security issues, so it would be amazing if there was official pnpm support too.

P.S.: It would be great to have a small notice of which package managers are supported in the readme, since the error Running sdc-checkError: There are no metrics data to create report wasn't telling me clearly what the issue was.

mcmxcdev avatar Aug 28 '22 18:08 mcmxcdev

Hey @mcmxcdev! Thanks for interest to this project.

sdc-check mostly relying on NodeSecure/scanner for data gathering and on lockfile-lint for package.lock linting. It is not possible to support pnpm in sdc-check until it is not supporting in NodeSecure/scanner.

But I think lockfile-lint is already supporting pnpm so you can use it to prevent attacks on your package.lock.

mbalabash avatar Aug 30 '22 10:08 mbalabash

Thanks for the detailed info.

Afaik, lockfile-lint doesn't support pnpm yet, but there is an open issue for it: https://github.com/lirantal/lockfile-lint/issues/48

mcmxcdev avatar Aug 30 '22 10:08 mcmxcdev