JavaScript for open source

Snyk for JavaScript support

Refer to the JavaScript details for supported package managers and features.

Only official releases are tracked. Commits, including into the default branch, are not identified unless included in an official release or tag.

In the case of JavaScript packages this means a release to the npmjs package registry.

Open source and licensing

The following summarizes Snyk Open Source support for npm, pnpm and Yarn, and partial support for Lerna.

npm

The following table provides a matrix for npm lockfile versions and Snyk features availability.

Lockfile version
CLI support
SCM support
License scanning
Fix PRs

Lockfile v1

✔︎

✔︎

✔︎

✔︎

Lockfile v2

✔︎

✔︎

✔︎

✔︎

Lockfile v3

✔︎

✔︎

✔︎

✔︎

Peer dependencies

In npm v7 and above, the behavior of peer dependencies changes if they are being installed by default. To match this in npm v7+ projects, Snyk assumes peer dependencies are installed and scans them by default.

An npm v7+ project ignores peer dependencies only if they are explicitly marked as optional in the peerDependenciesMeta object in the package.json as shown here for cache-manager:

{
    ...
    "peerDependenciesMeta": {
        "cache-manager": {
            "optional": true
        }
    },
    ...
}

In npm v6 and below, peer dependencies are not scanned by default, as the package manager does not install them by default. To scan peer dependencies, ensure they are installed, and then run the CLI with the --peer-dependencies option.

Lockfile versions

Snyk uses the package-lock.json lockfile when present to generate a dependency tree for your project. These lockfiles come in different versions.

Lockfile v1 was used in npm v5 and v6. Two new formats were introduced in npm v7 - lockfile v2 and lockfile v3. For more information, see lockfileVersion.

You can see which lockfile format you are using in the package-lock.json, as follows:

{
    ...
    "lockfileVersion": 3,
    ...
}

If you want to force npm to create a specific lockfile version, use the npm --lockfile-version parameter.

npm install --lockfile-version=2

pnpm

Release status

Snyk CLI pnpm support is in Early Access.

Enable it using Snyk Preview and install CLI v1.1293.0 or later.

The following table shows a matrix of pnpm versions and Snyk features availability.

pnpm version
CLI support
SCM support
License scanning
Fix PRs

pnpm 7

✔︎ (Early Access)

✔︎ (Early Access)

pnpm 8

✔︎ (Early Access)

✔︎ (Early Access)︎

pnpm 9

✔︎ (Early Access)︎

✔︎ (Early Access)︎

Lockfile versions

Snyk uses the pnpm-lock.yaml lockfile to generate a dependency tree for your project.

The supported lockfile versions are 5.4, 6.x and 9.x, corresponding to pnpm 7, 8 and 9.

pnpm lockfiles do not include bundledDependencies, so Snyk does not include them in scans.

Yarn

Snyk uses the Yarn lockfile (yarn.lock) to generate a representation of project dependencies.

The files Snyk relies on to scan a project may change on version upgrades of the package manager. Snyk lists only versions verified internally as supported.

If you are using a newer version of Yarn than is listed on this page, you may find Snyk performs as expected because Yarn is using a lockfile version that is already supported. That version of Yarn has likely not been evaluated and, thus, not added to this page.

The following table shows the Yarn versions and Snyk features availability matrix.

Yarn Version
CLI support
SCM support
License scanning
Fix PRs

Yarn 1

✔︎

✔︎

✔︎

✔︎

Yarn 2

✔︎

✔︎

✔︎

✔︎

Yarn 3

✔︎

✔︎

✔︎

✔︎

Because different versions of Yarn have different feature sets, there are differences in Snyk support in order to match how the package manager works.

Resolutions are supported in Yarn v2 and above. Yarn v1 resolutions are not supported.

Lerna

Snyk does not fully support Lerna. If your project is set up using Yarn Workspaces, you can scan the project in the same way you scan any Yarn Workspaces project.

If your Lerna project is set up using Yarn Workspaces, you can run snyk test and snyk monitor as follows.

For each example package, you can use the following:

snyk monitor --file=packages/example-package/package.json

Alternatively, you can specify a script to automate scanning of nested package.json files:

ls packages | xargs -I PKG_NAME snyk monitor --file=packages/PKG_NAME/package.json

Steps to start scanning using npm, pnpm and Yarn

The following table lists the steps to start scanning your dependencies. It covers basic commands, such as snyk test and snyk monitor. For a full list of CLI commands, see the CLI commands and options summary.

Package manager
Getting started
Description

npm

  1. Install npm.

  2. Ensure you are in a directory with npm project files, that is, package.json and package-lock.json.

  3. (Optional) Run npm install.

  4. (Optional) Run command options for snyk test and snyk monitor.

Snyk analyzes your package-lock.json files to build a dependency tree.

If the package-lock.json is missing, Snyk analyzes your node_modules folder.

Alternatively, run npm install to generate the lockfile first.

pnpm

  1. Install pnpm

  2. Make sure that you are in a directory with pnpm project files, that is, package.json or pnpmand pnpm-lock.yaml.

  3. (Optional) Run pnpm install.

  4. (Optional) Run command options for snyk test and snyk monitor.

Snyk analyzes yourpnpm-lock.yaml files to build a dependency tree. If the pnpm-lock.yaml is missing, Snyk analyzes your node_modules folder. Alternatively, run pnpm install to generate the lockfile first.

Yarn

  1. Install Yarn.

  2. Make sure you are in a directory with Yarn project files, that is, package.json and yarn.lock.

  3. (Optional) Run yarn install

  4. (Optional) Run command options for snyk test and snyk monitor.

Snyk analyzes your yarn.lock files to build a dependency tree.

If the yarn.lock is missing, Snyk analyzes your node_modules folder.

Alternatively, run yarn install to generate the lockfile first.

Support for monorepos and workspaces

Yarn, npm, and pnpm support workspaces, to help manage monorepos containing multiple sub-projects.

Workspaces are supported in the Snyk CLI for the following CLI options:

  • --all-projects : Discover and scan all Yarn, npm and pnpm workspaces projects, along with projects from other supported ecosystems. The root lock file is referenced when scanning the workspace projects.

  • --detection-depth : Specify how many sub-directory levels to search.

  • --strict-out-of-sync=false : Allow testing out-of-sync lockfiles for packages in a workspace. When this option is set to false , you can run Snyk tests with unsynchronized manifest and lock files without causing errors.

  • --policy-path : Specify the path to a policy used by Snyk during testing.

Examples of scanning workspaces

Scan all workspaces projects in the current directory and five sub-directories deep, plus any other Projects types detected.

snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 

Use a common .snyk policy file, if you maintain ignores and patches in one place to be applied for all detected workspaces by using the policy path. For details about this file, see The .snyk file.

snyk test --all-projects --strict-out-of-sync=false --policy-path=src/.snyk

npm workspaces example

npm v7 introduced support for workspaces. See the lockfile version and Snyk feature availability matrix.

To detect and scan all workspaces in your npm Project, use the CLI options described above.

pnpm workspaces example

pnpm workspaces must have the package.json, pnpm-lock.yaml and pnpm-workspace.yaml files in the root directory.

To detect and scan all workspaces in your pnpm Project, use the CLI options described above.

Yarn workspaces example

nohoistis not supported for Yarn Workspaces.

To detect and scan all workspaces in your Yarn Project, use the CLI options identified for monorepos and workspaces, as well as this Yarn-specific opton:

--yarn-workspaces : Use instead of --all-projects to detect and scan only Yarn workspaces projects when a lockfile is present in the root. Other ecosystems will be ignored.

Last updated

More information

Snyk privacy policy

© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.