The Snyk CLI first processes your node_modules folder to detect the actual dependencies being used by your project. It then scans your package.json file to add metadata to the detected dependencies and filter them for testing as follows:
- Which installed dependencies are traced back to a first-order dependency in your
package.jsonfile, and which are extraneous (added without being saved) - Which installed dependencies are not likely to be used in a production environment (stemming from devDependencies in
package.json), and should be skipped when testing for vulnerabilities (unless--devwas provided to the CLI)