We could add functionality to also scan `package-lock.json` (and similar lock files from other runtimes, like pnpm). When doing this, we could warn that you have a dependency which _deeply_ depends on a target module. Some basic requirements: - Off or warn-level by default (since there's no action we can do to resolve it) - Support pnpm - Support node - Support yarn - Behaves the same way as normal `package.json` scanning but with a more lenient warning since it may not be actionable
We could add functionality to also scan
package-lock.json(and similar lock files from other runtimes, like pnpm).When doing this, we could warn that you have a dependency which deeply depends on a target module.
Some basic requirements:
package.jsonscanning but with a more lenient warning since it may not be actionable