Skip to content


Trivy supports three types of Node.js package managers: npm, Yarn and pnpm. The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position License
npm package-lock.json Excluded
Yarn yarn.lock Excluded -
pnpm pnpm-lock.yaml Excluded - -

In addition, Trivy scans installed packages with package.json.

File Dependency graph Position License
package.json - -

These may be enabled or disabled depending on the target. See here for the detail.

Package managers

Trivy parses your files generated by package managers in filesystem/repository scanning.


Please make sure your lock file is up-to-date after modifying package.json.


Trivy parses package-lock.json. To identify licenses, you need to download dependencies to node_modules beforehand. Trivy analyzes node_modules for licenses.


Trivy parses yarn.lock, which doesn't contain information about development dependencies. To exclude devDependencies, package.json also needs to be present next to yarn.lock.


Trivy parses pnpm-lock.yaml, then finds production dependencies and builds a tree of dependencies with vulnerabilities.


Trivy parses the manifest files of installed packages in container image scanning and so on.


Trivy searches for package.json files under node_modules and identifies installed packages. It only extracts package names, versions and licenses for those packages.