docs(pnpm): add note about supported versions

aquasecurity · Apr 17, 2024 · fbe8317 · fbe8317
1 parent 46d5aba
commit fbe8317
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/docs/docs/coverage/language/nodejs.md b/docs/docs/coverage/language/nodejs.md
@@ -55,6 +55,9 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
 
+!!! warning
+    Trivy currently only supports Lockfile [v6][pnpm-lockfile-v6] or earlier.
+
 ### Bun
 Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
 
@@ -69,5 +72,6 @@ Trivy searches for `package.json` files under `node_modules` and identifies inst
 It only extracts package names, versions and licenses for those packages.
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[pnpm-lockfile-v6]: https://github.com/pnpm/spec/blob/fd3238639af86c09b7032cc942bab3438b497036/lockfile/6.0.md
 
 [^1]: [yarn.lock](#bun) must be generated