Node.js offers various package managers—npm, Yarn, PNPM, Bun—that produce lockfiles. CybeDefend’s SCA scanner relies on these files to accurately identify your app’s dependencies.

Lockfile Examples

  1. npm: package-lock.json or npm-shrinkwrap.json
  2. Yarn: yarn.lock
  3. PNPM: pnpm-lock.yaml, pnpm-lock.yml
  4. Bun: bun.lock, bun.lockb
  5. Deno: deno.lock

Why You Should Use Lockfiles

Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.

  1. Supply Chain Protection
    Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising.
  2. Predictable Builds
    Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies.
  3. Performance Gains
    With dependency versions locked, build tools skip the usual resolution step, making builds faster.

Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.

  1. Install Dependencies
    e.g., npm install, yarn install, pnpm install, or bun install.
  2. Commit the Generated Lockfile
    This ensures your entire dev team and CybeDefend use identical dependencies.
  3. Avoid Manual Edits
    Let the package manager handle the lockfile; do not modify it by hand.

Deno Projects

For Deno projects, you can generate a lockfile with:

deno cache --lock=deno.lock --lock-write your_script.ts

After generating the lockfile, commit it to your repository for CybeDefend to scan.

Supported Files for Node

File Examples
npm-shrinkwrap.json, yarn.lock, pnpm-lock.yaml, bun.lock, bun.lockb, deno.lock, libman.json, package.json, package-lock.json

Pin or lock versions in dependencies rather than devDependencies if you want to ensure full coverage for production packages.