Syft outputs devDependencies for package-lock.json files #2348
Description
What happened:
When scanning a directory with the following files:
package.json
{
"name": "first_app",
"version": "1.0.0",
"description": "a first app",
"main": "index.js",
"scripts": {
"test": "testing"
},
"author": "",
"license": "ISC",
"dependencies": {
},
"devDependencies": {
"async": "^3.2.4"
}
}
package-lock.json
{
"name": "first_app",
"version": "1.0.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "first_app",
"version": "1.0.0",
"license": "ISC",
"devDependencies": {
"async": "^3.2.4"
}
},
"node_modules/async": {
"version": "3.2.4",
"resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
"integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
"dev": true
}
}
}
It outputs
✔ Indexed file system tests/data/js_dependencies
✔ Cataloged packages [2 packages]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME VERSION TYPE
async 3.2.4 npm
first_app 1.0.0 npm
with the async devDependency.
What you expected to happen:
Syft do not output dev-dependencies as it's done when scanning a Pipfile.lock.
Steps to reproduce the issue:
Run syft on a directory containing the above file.
Anything else we need to know?:
Environment:
- Output of
syft version:
$ syft version
Application: syft
Version: 0.97.1
BuildDate: 2023-11-17T20:53:01Z
GitCommit: Homebrew
GitDescription: [not provided]
Platform: darwin/arm64
GoVersion: go1.21.4
Compiler: gc
- OS (e.g:
cat /etc/os-releaseor similar):
$ sw_vers
ProductName: macOS
ProductVersion: 14.1.1
BuildVersion: 23B81