osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

Distinguish between normal and dev dependencies.

Open michaelkedar opened this issue 2 years ago • 3 comments

There is no current way to identify whether a vulnerable dependency only affects the development environment e.g. whether it comes from devDependencies or dependencies in package.json.

We should add a field to the output to present this information, if we can extract it.

michaelkedar avatar Apr 04 '23 06:04 michaelkedar

I tried adding a column called DevDependency to the output table. Would the below output resolve this issue?

image

aniruth37 avatar Jun 14 '23 15:06 aniruth37

We are thinking of placing the devDependencies in a separate table under the normal dependencies.

So if we identify any dep dependencies, we will print two tables, with the first table containing only main deps, and a second table containing dev deps.

another-rex avatar Jun 15 '23 04:06 another-rex

@another-rex probably better to have support for marking "groups" that packages belong to, to support arbitrary groupings and have the default of no group take priority (since that is typically what are considered production dependencies); then in your output you just print-by-group and naturally sort "no group" to the top

G-Rath avatar Jun 15 '23 04:06 G-Rath

@cuixq This might be an interesting starter project to tackle.

oliverchang avatar Sep 21 '23 01:09 oliverchang