Syft outputs devDependencies for package-lock.json files

[amascia]

What happened:
When scanning a directory with the following files:
package.json

{
    "name": "first_app",
    "version": "1.0.0",
    "description": "a first app",
    "main": "index.js",
    "scripts": {
      "test": "testing"
    },
    "author": "",
    "license": "ISC",
    "dependencies": {
    },
    "devDependencies": {
      "async": "^3.2.4"
    }
  }

package-lock.json

{
    "name": "first_app",
    "version": "1.0.0",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
      "": {
        "name": "first_app",
        "version": "1.0.0",
        "license": "ISC",
        "devDependencies": {
          "async": "^3.2.4"
        }
      },
      "node_modules/async": {
        "version": "3.2.4",
        "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz",
        "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==",
        "dev": true
      }
    }
  }

It outputs

 ✔ Indexed file system                                                                                                                                                                                            tests/data/js_dependencies
 ✔ Cataloged packages              [2 packages]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME       VERSION  TYPE
async      3.2.4    npm
first_app  1.0.0    npm

with the async devDependency.

What you expected to happen:

Syft do not output dev-dependencies as it's done when scanning a Pipfile.lock.

Steps to reproduce the issue:

Run syft on a directory containing the above file.

Anything else we need to know?:

Environment:

• Output of syft version:

$ syft version
Application: syft
Version:    0.97.1
BuildDate:  2023-11-17T20:53:01Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.21.4
Compiler:   gc

• OS (e.g: cat /etc/os-release or similar):

$ sw_vers
ProductName:		macOS
ProductVersion:		14.1.1
BuildVersion:		23B81

[tgerla]

Hey @amascia, we are taking a look and we believe you are probably right that we need to filter out the dev dependencies from these kinds of scans. Thanks for the detailed report and reproduction steps--much appreciated!

[atl-mk]

Hey, I am able to provide Syft both the package.json and the lock file (whether it be package-lock.json or yarn.lock) so Syft has all the information it needs to be able to determine whether or not something is a development only dependency. I'm looking forward to this feature being implemented.

[harippriyas]

+1. Would be a really useful feature. thanks!

[arkajnag23]

@tgerla Very useful feature; Desperately asking to support this, as when delivering regulatory governance data, development dependencies shouldn't be shared;
Even the json output contains some information about scope, then team can run some alternative coding to filter off the devDependencies.

[ccremer]

Just to mention, there are a few use cases where devDependencies are desired. For example, SvelteKit projects often most, if not all dependencies listed as Dev dependency. Therefore, I very much appreciate the config option introduced in #3371 🎉

Note: The config option

javascript:
  include-dev-dependencies: true

is currently not documented in the Wiki