It turned out that for some of the repositories the Dependency Graph takes both package.json
and package-lock.json into account, while for others it is only package.json.
After further investigation we found out that rather big package-lock.json files (e.g.
713KB or 1.01MB in our cases) seem to be ignored - or they just fail silently.
Our guess is that there is a certain file size threshold or maybe a dependency-complexity threshold for package-lock.json that doesn’t allow Dependency Graph to fully analyze the dependencies. This leads to missing Security Alerts for libraries which only show up in the unprocessable package-lock.json files.
Can some-one confirm this behaviour?
If so what is the threshold?
Any ideas to fix or work around this?
Thank you very much.