Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
pgutil: PackageLockOnly for npm projects
-
Hi,
I see that the Dependency Scanner for npm projects is able to handle "packageLockOnly" (like it was the case in pgscan). But I can't seem to find an option to set this flag from the outside.
Maybe this option has been overlooked? Or I am missing it?
I appreciate the help.Thanks,
Caterina
-
Hi @caterina
It's very possible this was overlooked; we seem to have accepted a lot of pull requests without documenting them or knowing how they work
We want to make sure the tool is well documented... can you share what all this does, and how we can document it? It might be easy to add back in ... we just want to make sure all these switches are documented and still make sense.
Thanks,
Alana
-
Hi @atripp,
the default behavior of the NpmDependencyScanner is to read the input file as well as all package-lock.json files found in the node_modules directory.
Rich and I had a longer discussion about this behavior last year (https://forums.inedo.com/topic/3934/pgscan-different-results-for-npm-dependencies/13).
Result of this discussion was to add "--package-lock-only" to be able to ignore the package-lock.json files in node_modules.The code for this is already part of pgutil ('packageLockOnly'-property in NpmDependencyScanner). The only thing missing here is the possibility to set this property from the outside.
Thanks,
Caterina
-
@caterina thanks, we'll discuss this internally and get back to you soon!
