Add Dev flag to yarn.lock parsing #86
Description
Hello! I've been using trivy to do some scanning of Nodejs applications that use yarn. As you are most likely aware there is no way for Trivy to separate between dev dependencies and production dependencies in this case.
I would love it if Trivy could support this. After some digging through the source code I think this repository is the place to start given that it handles the dependency parsing for packages. Also I saw that you already thought about this thanks to the following todo in yarn/parse.go:
type Dependency struct {
Version string
// TODO : currently yarn can't recognize Dev flag.
// That need to parse package.json for Dev flag
Dev bool
Dependencies map[string]Dependency
}
I guess the only way to support the Dev flag is to include the package.json and compare it to the yarn.lock?
Is this something that sounds reasonable to you?
Thank you for your time! :)