Snyk Documentation

Node.js (NPM & Yarn)

What type of Node.js projects does Snyk support?

Snyk supports testing and monitoring open source npm projects that have their dependencies managed by npm or Yarn and compares the specific dependency versions against the Snyk vulnerability database.

Source Control Integration

Snyk supports finding, fixing, and monitoring node.js projects and supports the following manifest files.

  • package.json
  • package-lock.json
  • yarn.json
  • yarn.lock

If a lockfile is detected Snyk will process dependencies from the lockfile.

If the lockfile and manifest file become out of sync, Snyk will continue testing the project and warn about any packages that are found in the manifest but not present in the lockfile.

Language Settings

You can configure your organisation language settings in order to tweak the behaviour of Snyk:

Npm settings

  • Scan and fix devDependencies - Snyk will start reading the devDependencies property on the package.json and report & fix any vulnerabilities.
  • Require package.json and package-lock.json - Snyk can behave more like npm ci and error if a project becomes out of sync. Default behaviour is to behave more like npm install
  • Exclude package-lock.json from being generated when fixing vulnerabilities* - if you are using private mirrors / private registries Snyk generated lockfile may not be appropriate for you as Snyk using the npm registry to update the lockfile. This setting allows you to opt-out of getting lockfiles generated for you in our fix pull requests / merge requests.
  • * The relock functionality is available only for package-lock.json. It will be available for yarn.lcok during Q2 2019 

Serverless

See the specific Snyk Serverless documentation for language support.

CLI

The following manifest files are supported by the CLI:

  • package.json
  • package-lock.json
  • yarn.json
  • yarn.lock

If a lockfile is detected Snyk will process dependencies from the lockfile.

If the lockfile and manifest file become out of sync, Snyk will fail and will output the following warning:

Dependency snyk was not found in package-lock.json. Your package.json and package-lock.json are probably out of sync. 

Please run "npm install" and try again.

Testing a project

snyk test

When snyk test runs, it will run a test according to found supported manifests, in this order:

  • For npm
  • package-lock.json
  • package.json
  • For Yarn:
  • yarn.lock
  • yarn.json
Testing according to a specific manifest

Use the following command to test a specific manifest file

snyk test --file=path/to/package.json

 

Patching a project

snyk protect

Snyk can apply previously selected patches using the GNU patch utility. Patches are saved to the .snyk policy file. Read more about how patches work

 

Fixing a project with wizard

snyk wizard

Read about the wizard support.