Git repositories and JavaScript
Snyk for JavaScript language settings
Configure language settings for open source and licensing at the Organization level. The configuration settings apply to all Projects in that Organization.
In your Snyk account, navigate to Settings > Languages..
Under Languages, navigate to JavaScript and select Edit settings.
Configure the settings based on your package manager, npm or Yarn.
Scan and fix dev dependencies: If this is selected, Snyk reads the
devDependencies
property on thepackage.json
and reports and fixes any vulnerabilities accordingly.Require package.json and package-lock.json/yarn.lock files to be in sync: When this is selected, if the
package.json
andpackage-lock.json
/yarn.lock
files are out-of-sync, Snyk fails the import.Exclude package-lock.json from being generated when fixing vulnerabilities: If you are using private mirrors or registries, a Snyk-generated lockfile might not be appropriate for you because Snyk uses the npm registry to update the lockfile. This setting allows you to opt out of getting lockfiles generated for you in Snyk fix pull requests and merge requests.
Update Settings to save changes.
Workspaces in Snyk for JavaScript
Yarn and npm workspaces are not explicitly supported in Snyk git repository integration scans.
Root-level package.json
manifest files with adjacent lockfiles will be scanned as normal.
For nested manifest files with no lockfiles Snyk will approximate what the tree will look like at build time without using the root lockfile.
Fix PRs and npm save-prefix
When creating a fix for vulnerabilities using npm v7+ Projects, Snyk will use the default npm save-prefix
rather than inferring it from your Project.
This means if you have dependencies using a range format other than the caret range (^
), you may see additional changes to the version
fields in the package-lock.json
file.
These changes should not affect day-to-day functionality, as the ranges will be read from the package.json
.
Fix PRs for Yarn zero-installs users
Zero-installs achieved this by installing all the dependencies of a Project inside of the .yarn/cache
directory and asking users to commit this to their version control system , allowing the next developer to pull any new dependencies directly from the repo.
If you use the zero-installs feature, Snyk Fix PRs do not update the .yarn/cache directory. You must run yarn
to update this directory.
Last updated