Hi there,
I’m facing an issue with Sonatype Lifecycle when scanning with pnpm. When the target file is pnpm-lock.yaml, the scan seems to only report direct dependencies and doesn’t capture most transitive packages. For example, the Axios package was missed in the scan.
Has anyone else experienced this behavior, or is there a recommended workaround?
Hello,
For best results, Sonatype recommends scanning both the ‘pnpm-lock.yaml’ and its corresponding ‘package.json’ file together. This allows Lifecycle to build the dependency hierarchy tree and accurately present the direct and transitive dependencies.
You can read more on JavaScript scanning with Lifecycle here.
As a Sonatype Lifecycle customer you can reach out to your local Sonatype admin who can raises questions directly to our Sonatype Customer Success or Support teams.
Regards,
Alex