You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug Summary: Trivy is incorrectly identifying subdirectory packages, which is listed as a dependency in the package.json of a subdirectory, as a dev-dependency.
Steps to reproduce
(Adding steps to reproduce here to allow myself of using markdown)
Discussed in #7381
Originally posted by SemProvoost August 25, 2024
Description
Bug Summary: Trivy is incorrectly identifying subdirectory packages, which is listed as a dependency in the package.json of a subdirectory, as a dev-dependency.
Steps to reproduce
(Adding steps to reproduce here to allow myself of using markdown)
Project structure
/ (root directory)
├── package.json
├── pnpm-lock.yaml
├── pnpm-workspace.yaml
└── subdir/
└── package.json
Root package.json content:
Subdir package.json content:
pnpm-workspace.yaml content:
pnpm-lock.yaml (as result of
pnpm i
on root)Running Trivy
Running Trivy on the root of the project (
trivy fs . -f json --include-dev-deps --list-all-pkgs
) results inAs you can see, the
sleep-utils
package is marked as"Dev": true,
while it is no dev-dependency.Desired Behavior
In my example, the
sleep-utils
package should not have been marked as dev-dependencyActual Behavior
In my example, the
sleep-utils
package has incorrectly been marked as dev-dependencyReproduction Steps
Target
None
Scanner
None
Output Format
JSON
Mode
None
Debug Output
Operating System
macOS Ventura 13.3.1
Version
Checklist
trivy clean --all
The text was updated successfully, but these errors were encountered: