-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syft outputs devDependencies for package-lock.json files #2348
Comments
Hey @amascia, we are taking a look and we believe you are probably right that we need to filter out the dev dependencies from these kinds of scans. Thanks for the detailed report and reproduction steps--much appreciated! |
Hey, I am able to provide Syft both the |
+1. Would be a really useful feature. thanks! |
@tgerla Very useful feature; Desperately asking to support this, as when delivering regulatory governance data, development dependencies shouldn't be shared; |
What happened:
When scanning a directory with the following files:
package.json
package-lock.json
It outputs
with the
async
devDependency.What you expected to happen:
Syft do not output dev-dependencies as it's done when scanning a
Pipfile.lock
.Steps to reproduce the issue:
Run syft on a directory containing the above file.
Anything else we need to know?:
Environment:
syft version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: