How is 'package.json' used by the Snyk CLI?

Does 'package.json' get scanned when using the Snyk CLI

The Snyk CLI  first processes your 'node_modules' folder to detect the actual dependencies being used by your project. It then scans your 'package.json' file to add metadata to the detected dependencies and filter them for testing:

  • Which installed dependencies are traced back to a first-order dependency in your 'package.json' file, and which are extraneous (added without being saved)
  • Which installed dependencies are not likely to be used in a production environment (stemming from devDependencies in 'package.json'), and should be skipped when testing for vulnerabilities (unless --dev  was provided to the CLI)