[FEATURE] WORKSPACE / MONOREPO SUPPORT

[philly-vanilly]

Is this lib supposed to work in a workspace (either npm, yarn or pnpm)? If yes, which type and version, with which configuration are supported?

In a regular repo I have 230 dependencies scanned, after merging it into a monorepo with npm workspaces, I can scan only the ones that are not hoisted because of a version mismatch with neighbour-packages. With pnpm only top-level dependencies are scanned (30 out of the original 230). Only yarn without plug-n-play (hoisting limit) seems to work for me, which is really a pity as having dozens of full-blown node_modules bottomless pits in a module-federation app is a nightmare with IntelliJ.

Also please clarify if this lib is abandoned. I see the last commit in /src is from 2 years ago, about as old as this issue: #184 If it is not under active development anymore, please deprecate it. As you can imagine, having a lib like this in a project really screws up the options for improvements. Either you have to abandon the idea of a monorepo and waste countless hours on multi-repo issues, or you have to explain to your project manager that you want to lower your security level for something as trivial as developer experience.

cc @bhamail / @DarthHater / @allenhsieh / @ken-duck

[xpicio]

We recently migrate our project from npm to pnpm and only the first level dependencies are scanned. For instance: in a project we use body-parser, and pnpm audit detect the GHSA-hrpp-h998-j3pp vulnerability on qs, where qs is a dependency of body-parser (. > [email protected] > [email protected]); but qs is not present withing the sbom file created by auditjs.

Is it the right behaviour or a is it a bug ?