display vulns in package.json

snyk / vulncost

Find security vulnerabilities in open source npm packages while you code

https://marketplace.visualstudio.com/items?itemName=snyk-security.vscode-vuln-cost

MIT License

201 stars 38 forks source link

display vulns in package.json #12

Closed bmvermeer closed 4 years ago

bmvermeer commented 4 years ago

Maybe in the future. I dont believe it is good to do this by default. I think it will be considered noise but lets monitor this. Maybe we should make it optional just like in the CLI.

thisislawatts commented 4 years ago

@bmvermeer I am not sure I agree, given the user is in the manifest file and seeing Snyk annotations on their dependencies the absence of annotations on the devDependencies does not clearly communicate these are being ignored by default. Instead my assumption would be that these devDeps should be considered safe/secure.

thisislawatts commented 4 years ago

@bmvermeer In case my earlier edit got missed we should definitely filter out any packages which are not being loaded from NPM, this includes the GitHub & local style mentioned here: https://docs.npmjs.com/files/package.json#github-urls

thisislawatts commented 4 years ago

:tada: This PR is included in version 1.2.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: