Add support for npm-shrinkwrap.json files #324
Labels
Comments
|
@jeremylong Any sign of shrinkwrap being supported? When DependencyCheck finds vulnerabilities in nested dependencies the only course of action in npm is to override them with shrinkwrap. (Unless you have come across another way?) Currently DependencyCheck doesn't support shrinkwraps and therefore continues to fail the tests. This is huge, and a major blocker to continued usage of DependencyCheck. |
|
This was recently merged into the master branch (see #1006). We have not yet performed a release with this update yet; I'm hoping in about 1 week. |
|
Great work, looking forward to the release! Thank you. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In writing documentation for the new Node.js analyzer, I added a link to nsp. Reading that page, I noticed that nsp also handles a thing called a NPM shrinkwrap file, which seems akin to a Ruby Bundler
Gemfile.lockfile. It might be straightforward to extend D-C analysis to these files.The text was updated successfully, but these errors were encountered: