There are multiple detectors that make up npm detection and each detector searches for the following files:
- The
NpmComponentDetectordetector searches forpackage.json - The
NpmComponentDetectorWithRootsandNpmLockfile3Detectordetectors search forpackage-lock.json,npm-shrinkwrap.json, andlerna.json
npm detectors search for dependencies in packages.json, package-lock.json, npm-shrinkwrap.json and lerna.json in the scan directory.
The lockfile detectors (NpmComponentDetectorWithRoots and NpmLockfile3Detector) are able to scan for transitive dependencies within the project.
There is also an extension of the lockfile detector the NpmLockFilev3 detector that is able to scan version 3 of lockfiles
Npm supports optionalDependencies which can cause an overreporting issue with the detector
However, this is not much of an issue as the majority of projects only use dependencies and devDependencies.