JavaScript Parameters

NPM + Yarn + PNPM + Lerna

For more information regarding NPM integration, refer here.

Note: lockfileVersion 2 and 3 are supported by the Unified Agent for NPM.

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
npm.ignoreDirectoryPatterns	A string parameter that defines the list of directory patterns which will be ignored when searching for the package.json dependency file during the npm resolution. The list of directories is a comma/semi-colon delimited list.	N/A	N/A	example,examples,test,.bower	No
npm.resolveDependencies	Whether to resolve npm dependencies. NOTE: package.json dependency files defined within directories defined by the npm.ignoreDirectoryPatterns are not scanned, and therefore dependencies declared in these files are ignored. For example, the default set of directories to ignore will not include the following dependency files: /examples/package.json /example/package.json /.bower/package.json /test/package.json	Resolves NPM/yarn/pnpm dependencies. NOTES: If a Lerna.json file is identified, then Lerna’s npmClient will determine if to run npm or yarn resolution. If a yarn.lock file is identified, then yarn resolution is performed. If package-lock.json file is identified, then NPM resolution is performed. The pnpm-lock.yaml file will be resolved if it is the only lock file identified next to the package.json file. If all 3 lock files are not found or missing, the npm.yarnProject parameter will be used to determine which resolution to perform.	Will not resolve NPM/yarn/pnpm dependencies.	True (except for when `resolveAllDependencies=false`	-npm.resolveDependencies
npm.ignoreSourceFiles	When NPM dependencies are detected, ignore or include .js files outside the node_modules folder. NOTE: Only relevant when fileSystemScan is true.	Ignores the js files outside the node_modules folder.	Includes the js files outside the node_modules folder.	True	No
npm.includeDevDependencies	Whether to include dev dependencies.	Adds devDependencies to the scan	Only the prod dependencies will be scanned.	False	-npm.includeDevDependencies
npm.runPreStep	Whether to run `npm install` or `yarn install` on found package.json file.	Installs the NPM/yarn project. If a yarn.lock file is identified, then `yarn install` is executed. If package-lock.json file is identified, then `npm install` is executed. If both lock files are found or missing, the npm.yarnProject parameter will be used to determine which installation command to perform.	Will not Install the NPM/yarn project.	False	No
npm.ignoreNpmLsErrors	Whether to ignore errors of the 'npm list' command.	The scan will end with SUCCESS status + hierarchy tree.	The scan will end with SUCCESS status + flat list.	False	No
npm.ignoreScripts	Whether to ignore the scripts in your project's package.json file. NOTES: Used only if npm.runPreStep = True. Since 20.4.2 the flag is also supported for Yarn.	The Unified Agent executes `npm install --ignore-scripts`, and the scripts in your project's package.json file will not be run.	The npm install command will run and the scripts in your project's package.json file will be run.	False	No
npm.yarnProject	Whether this is a yarn project (or not).	Resolves yarn projects	Will not resolve yarn projects	False	No
npm.accessToken	The access token value provided by the relevant environment (Microsoft Visual Studio or Artifactory) to fetch required data from the NPM registry. NOTE: Only one access token to one private registry is supported. Multiple private registries can not be added.	N/A	N/A	Empty	No
npm.identifyByNameAndVersion	Defines whether to fetch package data from npm registry (either private or public).	The Unified Agent will use only the name and the version of the package.	Fetches package data from npm registry (either private or public).	False	No
npm.yarn.frozenLockfile	Enables running the pre-step with the `--frozen.lockfile` yarn parameter. NOTE: If enabled, then the following parameters also need to be set to True: npm.runPreStep and npm.yarnProject.	Runs the pre-step with the `--frozen.lockfile` yarn parameter.	Will not run the pre-step with the `--frozen.lockfile` yarn parameter.	False	No
npm.resolveMainPackageJsonOnly	In npm projects, more than one package.json file can exist. Therefore, you can decide to resolve only the main package.json file (the one in the root directory) or all package.json files.	The Unified Agent checks if there is a package.json file in the folder passed as the -d parameter. If no such file exists, the scan will fail; otherwise, the Unified Agent will scan only this package.json.	The Unified Agent resolves all package.json files	False	No
npm.removeDuplicateDependencies	Whether to remove duplicate dependencies during npm dependency resolution.	Removes duplicate dependencies during npm dependency resolution.	Includes duplicate dependencies during npm dependency resolution.	True	No
npm.resolveAdditionalDependencies	Whether to resolve global dependencies and require modules. NOTE: Require is the equivalent to import in other languages.	Resolves global dependencies and require modules.	Resolves only the dependencies that are declared in the package.json.	False	No
npm.resolveLockFile	Whether the Unified Agent will rely on the manifest (package.json) and lock file (package-lock.json) for the resolution and not rely on NPM commands. If the lock file is missing, the detection will be based on the node_modules folder.	The Unified Agent uses the package.json and package-lock.json to get the hierarchy tree. If the package-lock.json is missing, the detection is based on the node_modules folder.	The Unified Agent runs npm commands to get the hierarchy tree.	True	No
npm.projectNameFromDependencyFile	Whether the project name will be taken from the dependency file. This is a standalone parameter for the NPM resolver only, taking effect only when the npm resolver is the only active resolver. If the Unified Agent identifies any additional resolvers besides npm that are set to True, an error is generated. NOTE: If a productVersion was specified, it will override the project version and be part of the project's name.	The project name will be taken from the package.json file.	The project name will be taken from the CLI/configuration file.	False	No
npm.failOnNpmLsErrors	Whether to fail and exit the scan in case of `npm ls` errors.	In case an error occurs while running `npm ls`, the following log will be printed and the scan will stop: `Errors found in 'npm ls' command, while flag npm.failOnNpmLsErrors is true program will exit`.	In case of an error in `npm ls` the Unified Agent will continue to run and get as much dependencies information as possible.	NULL (meaning False - the scan will not fail on npm ls errors)	No
npm.resolveGlobalPackages	When scanning Docker images, and npm is not available, in order to extract global dependencies, this parameter eliminates the need to rely on NPM being installed and available; as the Unified Agent identifies all the global npm packages installed on the Docker image. When true - the Unified Agent will scan every package.json file inside node_modules directory.	Resolves all package.json files under the node_modules folder.	Will not scan package.json files under the node_modules folder.	False	No

Bower

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

bower.resolveDependencies

Whether to resolve Bower project folders.

Resolves Bower project folders

Will not resolve Bower project folders

True
(except for when resolveAllDependencies=false

No

bower.ignoreSourceFiles

When using the dependency resolver, whether to include package dependencies or package dependencies + source files.

NOTE: Only relevant when fileSystemScan is true.

Includes only package dependencies

Include package dependencies and source files

False

No

bower.runPreStep

Whether to install your Bower project.

Installs your Bower project

Does not install your Bower project

False

No