JavaScript

Supported frameworks and package managers

Code analysis

Snyk Code supports the following frameworks:

• React

• Vue.js

• Express

• jQuery

• Angular

• NodeJS

Open source and licensing

Snyk Open Source provides full support for both npm and Yarn, as outlined below.

npm

The following table shows the npm lockfile versions and Snyk features availability matrix.

Peer dependencies

In npm v7 and above, the behavior of peer dependencies changes if they are being installed by default. To match this in npm v7+ Projects, Snyk assumes peer dependencies are installed and scans them by default.

The only case in which an npm v7+ Project ignores peer dependencies is if they are explicitly marked as optional in the peerDependenciesMeta object in the package.json as shown here for cache-manager:

{
    ...
    "peerDependenciesMeta": {
        "cache-manager": {
            "optional": true
        }
    },
    ...
}

In npm v6 and below, peer dependencies are not scanned by default, as the package manager does not install them by default. To scan peer dependencies, make sure they are installed, and then run the CLI with the --peer-dependencies option.

Lockfile versions

Snyk uses the package-lock.json lockfile when present to generate a dependency tree for your Project. These lockfiles come in different versions.

Lockfile v1 was used in npm v5 and v6. Two new formats were introduced in npm v7 - lockfile v2 and lockfile v3 (see lockfileVersion).

You can see which lockfile format you are using in the package-lock.json, as follows:

{
    ...
    "lockfileVersion": 3,
    ...
}

If you want to force npm to create a specific lockfile version, use the npm --lockfile-version parameter.

npm install --lockfile-version=2

Yarn

Snyk uses the Yarn lockfile (yarn.lock) to generate a representation of Project dependencies.

The files Snyk relies on to scan a Project may change on version upgrades of the package manager. Snyk lists only versions verified internally as supported.

If you are using a newer version of Yarn than is listed on this page, you may find Snyk performs as expected because Yarn is using a lockfile version that is already supported. That version of Yarn has likely not been evaluated and, thus, not added to this page.

The following table shows the Yarn versions and Snyk features availability matrix.

Partially supported package managers

Snyk currently does not fully support Lerna. If your Project is set up using Yarn Workspaces, you can scan the Project in the same way you scan any Yarn Workspaces Project.

If your Lerna Project is set up using Yarn Workspaces, you can run snyk test and snyk monitor as follows:

For each example package, you can use the following:

snyk monitor --file=packages/example-package/package.json

Alternatively, you can specify a script to automate scanning of nested package.json files:

ls packages | xargs -I PKG_NAME snyk monitor --file=packages/PKG_NAME/package.json

Open source policy

To manage licenses from your developer workflows through policy, see the following topics:

• Defining a secure open source policy

• Use Snyk security policies to prioritize fixes more efficiently

Open source license compliance

To check compliance for open source licenses, see Getting Started with Snyk License Compliance Management.

Getting started with Snyk for Javascript across environments

Snyk CLI

Prerequisites

• Create a Snyk account

• Install Snyk CLI and authenticate your machine

• Set the default Organization for all Snyk tests (code analysis)

Code analysis

To start testing your code using Snyk Code open your repository in a terminal and run the following command:

snyk code test

To customize test options, run other commands, exclude directories and files, and explore the results in different formats, see the following:

• Snyk CLI commands

• Exclude directories and files from the Snyk tests

• Explore test results in a JSON or SARIF format in the terminal

• Exporting the test results to a JSON or SARIF file

Open source and licensing

The following table lists the steps to start scanning your dependencies. It covers basic commands, such as snyk test and snyk monitor. To check the full list, see CLI commands and options summary.

Monorepo Projects

Snyk only scans one manifest file at a time. To scan all manifest files, you can use an argument in the CLI (see Does the Snyk CLI support monorepos or multiple manifest files?).

npm workspaces

NPM v7 introduced the concept of workspaces. See lockfile version and Snyk feature availability matrix.

Example

To detect and scan all workspaces in your npm project, use the --all-projects Snyk CLI parameter, as follows:

snyk test --all-projects

Yarn workspaces

For Yarn Workspaces, you can use the following flags:

• --all-projects : Test and monitor your packages with other Projects or --yarn-workspaces , scanning only Yarn Workspaces Projects. The root lock file is referenced when scanning all the packages.

• --detection-depth : Find sub-folders that are not auto-discovered by default.

• --strict-out-of-sync=false : Relax strict synchronization requirements for packages in a Yarn workspace. When set to false , you can run Snyk tests with unsynchronized package.json and the package-lock.json files without throwing errors. Using different dependency versions can introduce potential risks, such as compatibility issues or security vulnerabilities.

• --policy-path : Specify the path to a policy used by Snyk during testing.

Examples

Scan the packages that belong to any discovered workspaces in this directory, five deep sub-directories, and any other Projects detected.

snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 

Scan only the Yarn Workspace packages that belong to any discovered workspaces in this directory and five deep sub-directories.

snyk test --yarn-workspaces --strict-out-of-sync=false --detection-depth=6

Use a common .snyk policy file, if you maintain ignores and patches in one place to be applied for all detected workspaces by using the policy path (see The .snyk file).

snyk test --all-projects --strict-out-of-sync=false --policy-path=src/.snyk

Snyk Web UI (Git repository integration)

You can import JavaScript repositories from any Git services (Source Control Managers) Snyk supports (see Git repositories). After the import, Snyk analyzes your Projects based on their supported manifest files.

Navigate to the How Snyk works for open source and licensing page for more details.

Import Project

To import Projects from a Git repository integration:

1. Open Snyk Web UI and go to your Group and Organization.

2. Go to Projects.

3. Click Add Projects, select the import source, and choose the repository If you have an integrated Git repository (GitHub) it shows up as an option to choose from.

Navigate to the Import a Project page for more details.

Configure language settings for open source

Configure language settings for your open source and licensing at the Organization level. The configuration settings apply to all Projects in that Organization.

1. Open Snyk Web UI and go to Settings > Languages section.

2. Under Languages, go to JavaScript and select Edit settings.

3. Configure the settings based on your package manager, npm or Yarn.

• Scan and fix dev dependencies: If this is selected, Snyk reads the devDependencies property on the package.json and reports and fixes any vulnerabilities accordingly.

• Require package.json and package-lock.json/yarn.lock files to be in sync: When this is selected, if the package.json and package-lock.json/yarn.lockfiles are out-of-sync, Snyk fails the import.

• Exclude package-lock.json from being generated when fixing vulnerabilities: If you are using private mirrors or registries, a Snyk-generated lockfile might not be appropriate for you because Snyk uses the npm registry to update the lockfile. This setting allows you to opt out of getting lockfiles generated for you in Snyk fix pull requests and merge requests.

4. Update Settings to save changes.

Fix PRs and npm save-prefix

When creating a fix for vulnerabilities using npm v7+ Projects, Snyk will use the default npm save-prefix rather than inferring it from your Project.

This means if you have dependencies using a range format other than the caret range (^), you may see additional changes to the version fields in the package-lock.json file.

These changes should not affect day-to-day functionality, as the ranges will be read from the package.json.

Fix PRs for Yarn zero-installs users

In Yarn v2, the zero-installs feature was released, which allowed Yarn developers to work on a Project without having to run yarn to install dependencies on their machine.

Zero-installs achieved this by installing all the dependencies of a Project inside of the .yarn/cache directory and asking users to commit this to their version control system , allowing the next developer to pull any new dependencies directly from the repo.

What's next?

• Open a Fix PR

• Configure PR Checks

Snyk integrations

For integrated development environments, see Use Snyk in your IDE.

If you prefer continuous integration/continuous delivery workflows, you can scan with Snyk based on the integration with your automation software (see Snyk CI/CD and Snyk API).

Best practices

To apply best practices for Javascript environments, see Best practices for Javascript.

Troubleshooting

If you need help, contact Snyk Support.