Add parser option to ignore npm devDependencies in npm lockfiles
What does this MR do?
This MR adds an option to ignore/skip devDependencies within package-lock.json files versions 1 or 2, and npm-shrinkwrap.json files. Software security is heavily dependent on context when assessing risk, and highlighting dev-only dependencies aids in adding more context. NPM adds a dev
field as true
to its devDependencies when generating lockfiles to identify the dependencies that are excluded in production builds. When DS_INCLUDE_DEV_DEPENDENCIES
is set to false
, any dev-only dependencies will be excluded from the generated artifacts.
What are the relevant issue numbers?
gitlab-org/gitlab#227861 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Oscar Tovar