Description
Description
cve-bin-tool currently parses javascript package lock files, but not the ones generated by NPM because they have a slightly different format:
For the moment, we've solved the problem by having cve-bin-tool fail more gracefully when it finds something that's not in the expected format:
But assuming NPM's format is fairly consistent, we should be able to do better here.
Why?
People might want to scan npm package lock files. I don't know offhand if we'd want a full npm "language parser" here or we just the ability to handle that one file type, so you'll need to do some research or know npm dependency formats better than I do.
Notes
In code review for #3654 @antoniogi mentioned,
The only thing I can think of is: is there a case where you can have more than 1 "dependencies" keys? If so, would it be better to also add the product and version to the warning message? (Feel free to ignore if too dumb of a comment)
I haven't seen anyone complain about this so I've kicked it out to here as a potential case to handle better in future. It's obviously technically possible (anyone could make a weird file manually; they're just text files) but I don't know if it's likely to be an issue or to come up in regular use cases.