Snyk supports testing and monitoring open source npm projects that have their dependencies managed by npm or Yarn and compares the specific dependency versions against the Snyk vulnerability database.
Snyk supports finding, fixing, and monitoring node.js projects and supports the following manifest files.
If a lockfile is detected Snyk will process dependencies from the lockfile.
If the lockfile and manifest file become out of sync, Snyk will continue testing the project and warn about any packages that are found in the manifest but not present in the lockfile.
You can configure your organization language settings in order to tweak the behavior of Snyk:
Scan and fix devDependencies - Snyk will start reading the
devDependenciesproperty on the package.json and report & fix any vulnerabilities.
Require package.json and package-lock.json - Snyk can behave more like
npm ciand error if a project becomes out of sync. Default behavior is to behave more like
Exclude package-lock.json from being generated when fixing vulnerabilities* - if you are using private mirrors / private registries Snyk generated lockfile may not be appropriate for you as Snyk using the npm registry to update the lockfile. This setting allows you to opt-out of getting lockfiles generated for you in our fix pull requests / merge requests.
The relock functionality is available only for package-lock.json.