Snyk for npm

You can use Snyk to scan your JavaScript project managed by npm.

Features of Snyk for npm

How Snyk for npm works

Snyk builds a dependency graph and then uses the vulnerability database to find vulnerabilities in any of the packages anywhere in that tree.

The way Snyk analyzes and builds the graph varies depending on the language and package manager of the Project, as well as the location of your project.

For the ways you can scan Projects with Snyk see Snyk CLI for npm projects and Git services for npm projects.

Snyk CLI for npm projects

Snyk analyzes your package.json and package-lock.json files to build a fully structured dependency tree. If the package-lock.json is missing, Snyk analyzes your node_modules folder.

To get started using the CLI for npm projects:

• Make sure npm is installed.

• Make sure you are in a directory with npm Project files, that is, package.json and package-lock.json.

• Run npm install.

• Install and authenticate Snyk CLI.

You can now test and monitor your project using snyk test or snyk monitor.

You can use options with Snyk CLI commands to refine your scan.

For information about the snyk test options available for use with npm, see Options for npm projects in the Test help.

For the available snyk monitor options, see Options for npm projects in the Monitor help.

Git services for npm projects

JavaScript Projects can be imported from any of the Git services that Snyk supports. After import, Snyk analyzes your Projects based on their supported manifest files.

Snyk scans your Projects based on these files being present:

• package.json

• package-lock.json

Git settings for npm

Preferences for JavaScript-based Projects

From the Snyk UI, use these parameters to customize your language preferences for JavaScript-based projects:

Update language preferences for Snyk for npm

1. Log in to your account and navigate to the relevant Group and Organization that you want to manage.

2. Select Settings > Languages.

3. Select Edit settings for JavaScript to configure preferences for your JavaScript (npm and Yarn) projects in this Organization.

Additional support notes

Lockfile versions

Snyk uses the package-lock.json lockfile when present to generate a dependency tree for your project. These lockfiles come in different versions.

Lockfile v1 was used in npm v5 and v6. Two new formats were introduced in npm v7 - lockfile v2 and lockfile v3 (see lockfileVersion).

You can see which lockfile format you are using in the package-lock.json, as follows:

{
    ...
    "lockfileVersion": 3,
    ...
}

If you want to force npm to create a specific lockfile version use the npm --lockfile-version parameter.

npm install --lockfile-version=2

Workspaces

npm v7 introduced the concept of workspaces.

Workspaces are supported in the Snyk CLI, but not currently in the Git integrations.

To detect and scan all workspaces in your npm project, use the --all-projects Snyk CLI parameter, as follows:

snyk test --all-projects

Peer dependencies

In npm v7 and above, the behaviour of peer dependencies changes if they are being installed by default. To match this in npm v7+ projects, Snyk assumes peer dependencies are installed and scans them by default.

The only case in which an npm v7+ project ignores peer dependencies is if they are explicitly marked as optional in the peerDependenciesMeta object in the package.json as shown here for cache-manager:

{
    ...
    "peerDependenciesMeta": {
        "cache-manager": {
            "optional": true
        }
    },
    ...
}

In npm v6 and below, peer dependencies are not scanned by default, as the package manager does not install them by default. To scan peer dependencies, make sure they are installed, and then run the CLI with the --peer-dependencies option.