JavaScript

Supported frameworks and package managers

Code analysis

Snyk Code supports the following frameworks:

  • React

  • Vue.js

  • Express

  • jQuery

  • Angular

  • NodeJS

Open source and licensing

Snyk Open Source provides full support for both npm and Yarn, as outlined below.

npm

The following table shows the npm lockfile versions and Snyk features availability matrix.

Lockfile versionCLI supportGit supportLicense scanningFix PRs

Lockfile v1

✔︎

✔︎

✔︎

✔︎

Lockfile v2

✔︎

✔︎

✔︎

✔︎

Lockfile v3

✔︎

✔︎

✔︎

✔︎

Peer dependencies

In npm v7 and above, the behavior of peer dependencies changes if they are being installed by default. To match this in npm v7+ Projects, Snyk assumes peer dependencies are installed and scans them by default.

The only case in which an npm v7+ Project ignores peer dependencies is if they are explicitly marked as optional in the peerDependenciesMeta object in the package.json as shown here for cache-manager:

{
    ...
    "peerDependenciesMeta": {
        "cache-manager": {
            "optional": true
        }
    },
    ...
}

In npm v6 and below, peer dependencies are not scanned by default, as the package manager does not install them by default. To scan peer dependencies, make sure they are installed, and then run the CLI with the --peer-dependencies option.

Lockfile versions

Snyk uses the package-lock.json lockfile when present to generate a dependency tree for your Project. These lockfiles come in different versions.

Lockfile v1 was used in npm v5 and v6. Two new formats were introduced in npm v7 - lockfile v2 and lockfile v3 (see lockfileVersion).

You can see which lockfile format you are using in the package-lock.json, as follows:

{
    ...
    "lockfileVersion": 3,
    ...
}

If you want to force npm to create a specific lockfile version, use the npm --lockfile-version parameter.

npm install --lockfile-version=2

Yarn

Snyk uses the Yarn lockfile (yarn.lock) to generate a representation of Project dependencies.

The files Snyk relies on to scan a Project may change on version upgrades of the package manager. Snyk lists only versions verified internally as supported.

If you are using a newer version of Yarn than is listed on this page, you may find Snyk performs as expected because Yarn is using a lockfile version that is already supported. That version of Yarn has likely not been evaluated and, thus, not added to this page.

The following table shows the Yarn versions and Snyk features availability matrix.

Yarn VersionCLI supportGit supportLicense scanningFix PRs

Yarn 1

✔︎

✔︎

✔︎

✔︎

Yarn 2

✔︎

✔︎

✔︎

✔︎

Yarn 3

✔︎

✔︎

✔︎

✔︎

Because different versions of Yarn have different feature sets, there are differences in Snyk support in order to match how the package manager works.

Resolutions are supported in Yarn v2 only. Yarn v1 resolutions are not supported.

Partially supported package managers

Snyk currently does not fully support Lerna. If your Project is set up using Yarn Workspaces, you can scan the Project in the same way you scan any Yarn Workspaces Project.

If your Lerna Project is set up using Yarn Workspaces, you can run snyk test and snyk monitor as follows:

For each example package, you can use the following:

snyk monitor --file=packages/example-package/package.json

Alternatively, you can specify a script to automate scanning of nested package.json files:

ls packages | xargs -I PKG_NAME snyk monitor --file=packages/PKG_NAME/package.json

Open source policy

To manage licenses from your developer workflows through policy, see the following topics:

Open source license compliance

To check compliance for open source licenses, see Getting Started with Snyk License Compliance Management.

Getting started with Snyk for Javascript across environments

Snyk CLI

Prerequisites

Code analysis

To start testing your code using Snyk Code open your repository in a terminal and run the following command:

snyk code test

To customize test options, run other commands, exclude directories and files, and explore the results in different formats, see the following:

Open source and licensing

The following table lists the steps to start scanning your dependencies. It covers basic commands, such as snyk test and snyk monitor. To check the full list, see CLI commands and options summary.

To scan your dependencies, ensure you install the relevant package manager and that your Project contains the supported manifest files.

Package managerGetting startedDescription

npm

  1. Install NPM.

  2. Make sure you are in a directory with NPM Project files, that is, package.json and package-lock.json.

  3. Run npm install.

  4. (Optional) Run command options for snyk test and snyk monitor.

Snyk analyzes your package.json and package-lock.json files to build a fully structured dependency tree.

If the package-lock.json is missing, Snyk analyzes your node_modules folder.

Yarn

  1. Install Yarn.

  2. Make sure you are in a directory with Yarn Project files, that is, package.json and yarn.lock.

  3. Run yarn

  4. (Optional) Run command options for snyk test and snyk monitor.

Snyk analyzes your package.json and yarn.lock files to build a fully structured dependency tree.

If the yarn.lock is missing, Snyk analyzes your node_modules folder.

Monorepo Projects

Snyk only scans one manifest file at a time. To scan all manifest files, you can use an argument in the CLI (see Does the Snyk CLI support monorepos or multiple manifest files?).

npm workspaces

NPM v7 introduced the concept of workspaces. See lockfile version and Snyk feature availability matrix.

Example

To detect and scan all workspaces in your npm project, use the --all-projects Snyk CLI parameter, as follows:

snyk test --all-projects

Yarn workspaces

nohoistis not supported by Yarn Workspaces.

For Yarn Workspaces, you can use the following flags:

  • --all-projects : Test and monitor your packages with other Projects or --yarn-workspaces , scanning only Yarn Workspaces Projects. The root lock file is referenced when scanning all the packages.

  • --detection-depth : Find sub-folders that are not auto-discovered by default.

  • --strict-out-of-sync=false : Relax strict synchronization requirements for packages in a Yarn workspace. When set to false , you can run Snyk tests with unsynchronized package.json and the package-lock.json files without throwing errors. Using different dependency versions can introduce potential risks, such as compatibility issues or security vulnerabilities.

  • --policy-path : Specify the path to a policy used by Snyk during testing.

For Yarn Workspaces, only the package.json file is updated for Snyk Fix PRs. The yarn.lock file is not updated.

Examples

Scan the packages that belong to any discovered workspaces in this directory, five deep sub-directories, and any other Projects detected.

snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 

Scan only the Yarn Workspace packages that belong to any discovered workspaces in this directory and five deep sub-directories.

snyk test --yarn-workspaces --strict-out-of-sync=false --detection-depth=6

Use a common .snyk policy file, if you maintain ignores and patches in one place to be applied for all detected workspaces by using the policy path (see The .snyk file).

snyk test --all-projects --strict-out-of-sync=false --policy-path=src/.snyk

Snyk Web UI (Git repository integration)

You can import JavaScript repositories from any Git services (Source Control Managers) Snyk supports (see Git repositories). After the import, Snyk analyzes your Projects based on their supported manifest files.

🔗 How Snyk works for open source and licensing

Import Project

To import Projects from a Git repository integration:

  1. Open Snyk Web UI and go to your Group and Organization.

  2. Go to Projects.

  3. Click Add Projects, select the import source, and choose the repository If you have an integrated Git repository (GitHub) it shows up as an option to choose from.

🔗 Import a Project

Configure language settings for open source

Configure language settings for your open source and licensing at the Organization level. The configuration settings apply to all Projects in that Organization.

  1. Open Snyk Web UI and go to Settings > Languages section.

  2. Under Languages, go to JavaScript and select Edit settings.

  3. Configure the settings based on your package manager, npm or Yarn.

  1. Update Settings to save changes.

Fix PRs and npm save-prefix

When creating a fix for vulnerabilities using npm v7+ Projects, Snyk will use the default npm save-prefix rather than inferring it from your Project.

This means if you have dependencies using a range format other than the caret range (^), you may see additional changes to the version fields in the package-lock.json file.

These changes should not affect day-to-day functionality, as the ranges will be read from the package.json.

Fix PRs for Yarn zero-installs users

In Yarn v2, the zero-installs feature was released, which allowed Yarn developers to work on a Project without having to run yarn to install dependencies on their machine.

Zero-installs achieved this by installing all the dependencies of a Project inside of the .yarn/cache directory and asking users to commit this to their version control system , allowing the next developer to pull any new dependencies directly from the repo.

If you use the zero-installs feature, Snyk Fix PRs do not update the .yarn/cache directory. You must run yarn to update this directory.

What's next?

Snyk integrations

🔗 For integrated development environments, see Use Snyk in your IDE.

🔗 If you prefer continuous integration/continuous delivery workflows, you can scan with Snyk based on the integration with your automation software (see Snyk CI/CD and Snyk API).

Best practices

To apply best practices for Javascript environments, see Best practices for Javascript.

Troubleshooting

If you need help, contact Snyk Support.

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.