JavaScript / TypeScript

Introduction

JFrog Xray provides security and compliance analysis for JavaScript and TypeScript applications throughout the software development lifecycle. This page describes the supported scan contexts, package managers, capabilities, and dependency analysis available for JavaScript/TypeScript.

Capabilities

Capability	Source Code Scanning	Binary Scanning
Vulnerability Matching (CVEs)	✅	✅
License Detection	✅	✅
Malicious Package Detection	✅	✅
Operational Risk	✅	✅
Smart Remediation	🔜	🔜

Source code scanning analyzes your project's dependency manifest files to identify components and their vulnerabilities. This is used by JFrog CLI (jf audit), Frogbot, IDE integrations, and CI pipelines.

Supported Files

Package Manager	Supported Files
npm	`package-lock.json` (required), `package.json`
Yarn	`yarn.lock` (Yarn 3 required)
pnpm	❌ Not supported
Bower	❌ Not supported

Dependency Graph

Package Manager	Dependency Graph
npm	✅ Full
Yarn	❌ Flat