Dependency Scanning fails on NPM projects with workspaces

Summary

Dependency Scanning fails when scanning a package-lock.json file with multiple workspaces with the error:

[FATA] [dependency-scanning] [2025-04-10T14:27:53Z] [/go/src/app/cmd/dependency-scanning/main.go:43] ▶ scanning file package-lock.json: parsing file package-lock.json: malformed dependency graph when searching for dependency <dependency> of package <workspace package>

Although we currently do not support multiple workspaces, the error is unclear and we should either define something clearer or create a workaround.

Steps to reproduce

  1. Create a project with a package-lock.json file with workspaces (for example: package-lock.json)
  2. Scan with Dependency Scanning: 
    include:
  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
variables:
  DS_ENFORCE_NEW_ANALYZER: 'true'
  SECURE_LOG_LEVEL: "debug"
  3. See error

Example Project

What is the current bug behavior?

Unclear error when running dependency scan on package-lock.json containing workspaces.

What is the expected correct behavior?

  • Clear error when running dependency scan on package-lock.json containing workspaces OR workaround.
  • Documentation about limitation of workspaces and monorepositories.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by 🤖 GitLab Bot 🤖