Node.js support in FOSSA CLI depends on the following tools existing in your environment:
- Node.js (defaults to
node, configure with
- NPM (defaults to
npm, configure with
fossa init to detect all
package.json files in the file tree not located inside of a
Manual: Add a
nodejs module with path and target set to the directory where the
package.json file is located in your project.
analyze: modules: - name: your-nodejs-project type: nodejs path: . target: .
|Option||Type||Name||Common Use Case|
||string||Strategy||Specify a nodejs analysis strategy.|
Manually specify the nodejs analysis strategy to be used. Supported options are as follows and the individual behavior is listed in the Analysis section further down:
Analysis for nodejs projects is executed a number of ways starting with the most accurate method and falling back to the least likely method to succeed as ordered:
- Parse output from
npm ls --json --production- Runs if
npmexists on the system and provides an accurate list of all dependencies needed to build the production project.
package.json- Runs if
package.jsoncan be successfully parsed into a dependency graph.
yarn list --json- This command verifies through
yarnwhat the actual dependencies which are installed on the system are. This strategy runs with
NODE_ENV=productionby default to find production dependencies.
yarn.lock- Detects dependencies based on the yarn lockfile.
npm-shrinkwrap.json- Detects dependencies based on the lockfile.
package-lock.json- Detects dependencies based on the lockfile.
- We assume that your Node packages are installed at
node_modules. Currently we do not offer a way to read this directory to determine what packages are installed.