Add support for nested package.json files to the retire.js Dependency Scanner
Problem to solve
Allow the use of the retire.js Dependency Scanner to scan monorepos with nested package.json
files.
Intended users
Developers
User experience goal
The user should be able to scan monorepos with multiple package.json files using the retire.js Dependency Scanner.
Proposal
Add support for nested package.json files to the retire.js Dependency Scanner.
Further details
The project I am working on is a npm based project with package.json files in the following locations:
- /package.json
- /client/package.json
- /api/package.json
- /db/package.json
Currently the retire-js-dependency_scanning
job only finds security vulnerabilities in the top level package.json. I purposely added a vulnerable dependency to the root package.json and the client package.json and it recognized only the top level dependency vulnerability.
Permissions and Security
No change.
Documentation
The new behavior should be described in Dependency Scanning documentation.
Availability & Testing
To be tested when doing automatic QA, using test projects like js-npm.
What does success look like, and how can we measure that?
The retire.js
analyzer reports vulnerabilities for all Node.js components/projects of a monorepo.
What is the type of buyer?
Is this a cross-stage feature?
No