Open amascia opened 9 months ago
Hey @amascia, we are taking a look and we believe you are probably right that we need to filter out the dev dependencies from these kinds of scans. Thanks for the detailed report and reproduction steps--much appreciated!
Hey, I am able to provide Syft both the package.json
and the lock file (whether it be package-lock.json
or yarn.lock
) so Syft has all the information it needs to be able to determine whether or not something is a development only dependency. I'm looking forward to this feature being implemented.
+1. Would be a really useful feature. thanks!
@tgerla Very useful feature; Desperately asking to support this, as when delivering regulatory governance data, development dependencies shouldn't be shared; Even the json output contains some information about scope, then team can run some alternative coding to filter off the devDependencies.
What happened: When scanning a directory with the following files:
package.json
package-lock.json
It outputs
with the
async
devDependency.What you expected to happen:
Syft do not output dev-dependencies as it's done when scanning a
Pipfile.lock
.Steps to reproduce the issue:
Run syft on a directory containing the above file.
Anything else we need to know?:
Environment:
syft version
:cat /etc/os-release
or similar):