Vulnerability scanning on package.json

Question

Vulnerability scanning on package.json

pkey opened this issue 4 years ago · 5 comments

Why

When it comes to the overall view of dependencies, package.json is the first place people would look at. At the moment, vulnerabilities are only scanned as user imports/requires the module in his code.

What

It would be helpful to have scanning being reflected on package.json dependency list as well.

bmvermeer commented 4 years ago

#12

Answer 1 · 2020-03-31T11:05:27.000Z

I'd be inclined to test that theory that the package.json is the first place people will look (when using vscode). I certainly don't, but I'm one developer. Doesn't mean it shouldn't be added, I'm just not so sure during development I visit my own package.json that often (if at all).

Answer 2 · 2020-04-02T21:12:16.000Z

@remy True, everyone has a different approach. What is yours to get an overview of the dependencies then?

Answer 3 · 2020-04-10T08:03:30.000Z

@remy from my perspective I tend to take a look in package.json whilst I am orienteering myself around a new to me project. Mainly to look through the scripts section and see what hasn't been documented ;)

Answer 4 · 2020-04-28T12:33:02.000Z

current release in the marketplace (1.3.1) scans dependencies in package.json