owasp-dependency-check: JavaScript code is not analyzed

I am trying to use the NPM module owasp-dependency-check in order to highlight possible vulnerabilities in the code of my web project. I have installed version 0.0.18, the latest.

I want to analyse the custom code I wrote (directory src) and the libraries my project depends on (directory node_modules).

The task in package.json (section scripts) reads:

"test:dependency": "owasp-dependency-check --project \"MY_PROJECT\" --scan \"src\" --scan \"node_modules\" --exclude \"dependency-check-bin\" --out \"owasp\" --format HTML"

After the launch, it seems that the instructions have been specified correctly:

owasp-dependency-check: Running the dependency check ...
/home/workspace/MY_PROJECT/dependency-check-bin/dependency-check/bin/dependency-check.sh --out=owasp --project MY_PROJECT --scan src --scan node_modules --exclude dependency-check-bin --format HTML --data=/tmp/dependency-check-data

After about 10 minutes of execution, I find a file owasp/dependency-check-report.html with size of 61MB (!?!). I view it in the browser and it contains the analysis of the sole directory dependency-check-bin, which is the directory where the owasp-dependency-check NPM module installs some executables and which I explicitly try to skip in the analysis.

(ironically, there are 6 medium-to-critical vulnerabilities in the libraries that the dependency checker itself uses...)

My question is: what is wrong with my task definition in package.json? How should I invoke owasp-dependency-check in order to scan node_modules and src?

The answer was given to me by one of the maintainers of the NPM module.

In the case of JavaScript the scan does not involve directories, but the single package-lock.json file.

The correct task definition is therefore:

"test:dependency": "owasp-dependency-check --project \"MY_PROJECT\" --scan \"package-lock.json\" --exclude \"dependency-check-bin\" --out \"owasp\" --format HTML"