Running OSV-Scanner on the Node package-lock.json file could also detect vulnerabilities in dev dependencies. The intention of the vulnerability scan is to ensure that the production dependencies do not contain vulnerabilities, not the dev dependencies. This could be resolved by generating a Software Bill of Materials (SBOM) for the Node project, omitting dev dependencies, and running OSV-Scanner on the SBOM. Unfortunately, the use of non-semver tags (such as latest) in the dependency tree causes errors in npm ls when generating an SBOM.
Govulncheck and npm audit already do a good job of detecting vulnerabilities in Go and Node respectively so, for now at least, remove OSV-Scanner.
Running OSV-Scanner on the Node package-lock.json file could also detect vulnerabilities in dev dependencies. The intention of the vulnerability scan is to ensure that the production dependencies do not contain vulnerabilities, not the dev dependencies. This could be resolved by generating a Software Bill of Materials (SBOM) for the Node project, omitting dev dependencies, and running OSV-Scanner on the SBOM. Unfortunately, the use of non-semver tags (such as
latest) in the dependency tree causes errors in npm ls when generating an SBOM.Govulncheck and npm audit already do a good job of detecting vulnerabilities in Go and Node respectively so, for now at least, remove OSV-Scanner.