Node.js¶
Tunnel supports four types of Node.js package managers: npm, Yarn, pnpm and Bun1.
The following scanners are supported.
| Artifact | SBOM | Vulnerability | License |
|---|---|---|---|
| npm | ✓ | ✓ | ✓ |
| Yarn | ✓ | ✓ | ✓ |
| pnpm | ✓ | ✓ | ✓ |
| Bun | ✓ | ✓ | ✓ |
The following table provides an outline of the features Tunnel offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
|---|---|---|---|---|---|
| npm | package-lock.json | ✓ | Excluded | ✓ | ✓ |
| Yarn | yarn.lock | ✓ | Excluded | ✓ | ✓ |
| pnpm | pnpm-lock.yaml | ✓ | Excluded | ✓ | - |
| Bun | yarn.lock | ✓ | Excluded | ✓ | ✓ |
In addition, Tunnel scans installed packages with package.json.
| File | Dependency graph | Position | License |
|---|---|---|---|
| package.json | - | - | ✅ |
These may be enabled or disabled depending on the target. See here for the detail.
Package managers¶
Tunnel parses your files generated by package managers in filesystem/repository scanning.
Tip
Please make sure your lock file is up-to-date after modifying package.json.
npm¶
Tunnel parses package-lock.json.
To identify licenses, you need to download dependencies to node_modules beforehand.
Tunnel analyzes node_modules for licenses.
By default, Tunnel doesn't report development dependencies. Use the --include-dev-deps flag to include them.
Yarn¶
Tunnel parses yarn.lock, which doesn't contain information about development dependencies.
Tunnel also uses package.json file to handle aliases.
To exclude devDependencies and allow aliases, package.json also needs to be present next to yarn.lock.
Tunnel analyzes .yarn (Yarn 2+) or node_modules (Yarn Classic) folder next to the yarn.lock file to detect licenses.
By default, Tunnel doesn't report development dependencies. Use the --include-dev-deps flag to include them.
pnpm¶
Tunnel parses pnpm-lock.yaml, then finds production dependencies and builds a tree of dependencies with vulnerabilities.
To identify licenses, you need to download dependencies to node_modules beforehand. Tunnel analyzes node_modules for licenses.
lock file v9 version¶
Tunnel supports Dev field for pnpm-lock.yaml v9 or later. Use the --include-dev-deps flag to include the developer's dependencies in the result.
Bun¶
Tunnel supports scanning yarn.lock files generated by Bun. You can use the command bun install -y to generate a Yarn-compatible yarn.lock.
Note
bun.lockb is not supported.
Packages¶
Tunnel parses the manifest files of installed packages in container image scanning and so on.
package.json¶
Tunnel searches for package.json files under node_modules and identifies installed packages.
It only extracts package names, versions and licenses for those packages.