Skip to content

bug(npm): Trivy returns error if packages[].workspaces is object for package-lock.json files #9517

Closed
Bug
#9518
Closed
bug(npm): Trivy returns error if packages[].workspaces is object for package-lock.json files#9517
Bug
#9518
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.
Milestone
v0.67.0
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Sep 24, 2025

Description

We currently expect that packages[].workspaces[] is array with paths to workspace dirs.
But npm also supports packages[].workspaces.packages object.
See https://github.com/npm/map-workspaces#usage

Example:

    "node_modules/feelers": {
      "version": "1.4.0",
      "resolved": "https://registry.npmjs.org/feelers/-/feelers-1.4.0.tgz",
      "integrity": "sha512-CGa/7ILuqoqTaeYeoKsg/4tzu2es9sEEJTmSjdu0lousZBw4V9gcYhHYFNmbrSrKmbAVfOzj6/DsymGJWFIOeg==",
      "license": "MIT",
      "dependencies": {
      ...
      },
      "engines": {
        "node": "*"
      },
      "workspaces": {
        "packages": [
          "feelers-playground"
        ]
      }

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions