docs(nodejs): add info about supported versions of pnpm lock files (#…

…6510)
aquasecurity · Apr 19, 2024 · 95c8fd9 · 95c8fd9
1 parent 12ec0df
commit 95c8fd9
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/docs/docs/coverage/language/nodejs.md b/docs/docs/coverage/language/nodejs.md
@@ -55,6 +55,9 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
 
+!!! note
+    Trivy currently only supports Lockfile [v6][pnpm-lockfile-v6] or earlier.
+
 ### Bun
 Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
 
@@ -69,5 +72,6 @@ Trivy searches for `package.json` files under `node_modules` and identifies inst
 It only extracts package names, versions and licenses for those packages.
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md
 
 [^1]: [yarn.lock](#bun) must be generated