Missing Security Alerts due to large package-lock.json files?

Hey there,

we have turned on Security Alerts for allmost all of our repositories. At some point we saw that some of our Javascript repositories show Security Alerts while others do not, although they contain the exact same vulnerable version of a library. 

It turned out that for some of the repositories the Dependency Graph takes both package.json

and package-lock.json into account, while for others it is only package.json.

After further investigation we found out that rather big package-lock.json files (e.g.

713KB or  1.01MB in our cases)  seem to be ignored - or they just fail silently.

Our guess is that there is a certain file size threshold or maybe a dependency-complexity threshold for package-lock.json that doesn’t allow Dependency Graph to fully analyze the dependencies. This leads to missing Security Alerts for libraries which only show up in the unprocessable package-lock.json files.

Can some-one confirm this behaviour?

If so what is the threshold?

Any ideas to fix or work around this?

Thank you very much.

2 Likes

Hi there pixelpogo! :wave:

I’ve looked into this for you and I can confirm that there is a size limit on package-lock.json and other manifest files of 0.5 MB, which applies to all users and organizations that are not using GitHub Enterprise.

Manifests that are ignored due to size will not receive security alerts or automated security updates.

We can process up to 20 manifests per repository by default, so if you can split your dependencies between several files that are smaller than 0.5 MB each, they will all be picked up and processed.

One way of doing this would be to use both package-lock.json and package.json.

Another way might be to have separate package-lock.json files in sub folders of the repository.

Or, alternately, upgrading to GitHub Enterprise would remove the size limit entirely.

I’ll raise an issue with our docs team to have this limit mentioned on our help pages!

1 Like