For my understanding the Node.js Analyzer in conjunction with the Node Audit Analyzer inspects the package-lock.json. And the package-lock.json always includes the devDependencies.
The dependency-check-report.html reflects this and is including all dependencies.
- On a clean environment (no npm command before, no package-lock.json available) I did an
npm install --production
- As expected ;-) only the production dependencies are installed, but
- The package-lock.json was created with all dependencies (prod and dev)
- I run an OWASP/DC scan
- The reports shows also all dependencies (prod and dev)
Now my question: Is there a optional parameter/possibility to avoid the inclusion of the devDependencies in the report ? The devDependencies in the package-lock.json shows "dev": true,, the production dependencies have no "dev" entry.
For my understanding the Node.js Analyzer in conjunction with the Node Audit Analyzer inspects the package-lock.json. And the package-lock.json always includes the devDependencies.
The dependency-check-report.html reflects this and is including all dependencies.
npm install --productionNow my question: Is there a optional parameter/possibility to avoid the inclusion of the devDependencies in the report ? The devDependencies in the package-lock.json shows
"dev": true,, the production dependencies have no"dev"entry.