Endor Labs for JavaScript/TypeScript

Learn how to implement Endor Labs in repositories with Javascript or Typescript packages.

JavaScript is a high-level, interpreted programming language primarily used for creating interactive and dynamic web content widely used by developers. Endor Labs supports the scanning and monitoring of JavaScript projects.

Using Endor Labs, developers can:

  • Test their software for potential issues and violations of organizational policy
  • Prioritize vulnerabilities in the context of their applications
  • Understand the relationships between software components in their applications

Scan JavaScript projects

To successfully scan your JavaScript or TypScript applications:

Install software prerequisites

  • Endor Labs requires the following pre-requisite software to be installed to successfully perform a scan:

    • Yarn: Any version
    • NPM: 6.14.18 or higher versions
    • PNPM: 3.0.0 or higher versions
  • Make sure that you have the following minimum system specification requirements:

    Processor Memory
    4-core 16 GB

Build JavaScript projects

You can choose to build your JavaScript projects before running a scan. This will ensure that either a package-lock.json, yarn.lock, or pnpm-lock.yaml file is created enhancing the scan speed.

Ensure your repo has package.json and run the following command making sure it builds the project successfully.

For NPM:

npm install

For Yarn:

yarn install


pnpm install

If the project is not built, endorctl builds the project during the scan and generate either package-lock.json, yarn.lock, or pnpm-lock.yaml file. Make sure that either NPM, Yarn, or PNPM is installed on your system. If your repository includes a lock file, endorctl uses the existing file for dependency resolution and does not create it again.

Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies.

endorctl scan

To detect dependencies when using PNPM:

If you are using PNPM, set the environment variable ENDOR_PNPM_ENABLED to true and then run the scan.

endorctl scan

To detect phantom dependencies:

To detect dependencies used in source code but not declared in the package’s manifest files, set the flag --phantom-dependencies.

endorctl scan --phantom-dependencies

You can perform the scan from within the root directory of the git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

Dependency analysis tools analyze the lock file of an npm, yarn, or pnpm based package and attempt to resolve dependencies. To resolve dependencies from private repositories, the settings of the .npmrc file in the repository is considered.

Endor Labs surpasses mere manifest file analysis by expertly resolving JavaScript dependencies and identifies:

  • Dependencies listed in the manifest file but not used by the application
  • Dependencies used by the application but not listed in the manifest file
  • Dependencies listed in the manifest as transitive but used directly by the application
  • Dependencies categorized as test in the manifest, but used directly by the application

Developers can eliminate the false positives, false negatives, and easily identify test dependencies with this analysis. The dependencies used in source code but not declared in the package’s manifest files are tagged as Phantom.

Endor Labs also supports NPM, Yarn, and PNPM workspaces out-of-the-box. If your JavaScript frameworks and packages use workspaces, Endor Labs will automatically take the dependencies from the workspace to ensure that the package successfully builds.

Scan speed is enhanced if the lock file exists in the repository. endorctl does not perform a build and uses the existing files in the repository for analysis.

Known Limitations

  • Endor Labs doesn’t currently support local package references
  • If a dependency can not be resolved in the lock file, building that specific package may be unsuccessful. This package may have been removed from npm or the .npmrc file is not properly configured. Other packages in the workspace are scanned as usual.
  • Call graph generation is not supported for JavaScript

Troubleshoot errors

  • Unresolved dependency errors: The manifest file package.json is not buildable. Try running npm install, yarn install, or pnpm install in the root project to debug this error.
  • Resolved dependency errors: A version of a dependency does not exist or it cannot be found. It may have been removed from the repository.