Not supported pnpm yet?

takuyahara · October 8, 2025, 9:27pm

I just started to try grype and have a question; doesn’t it support pnpm monorepo? Downloading pnpm’s SBOM from GitHub and running cat pnpm_pnpm_66e1aa.json | grype resulted like the following excerpt.

NAME             INSTALLED  FIXED IN   TYPE  VULNERABILITY        SEVERITY  EPSS           RISK
tar              catalog:   3.2.2      npm   GHSA-3jfq-g458-7qm9  High      85.5% (99th)   67.1
js-yaml          catalog:   2.0.5      npm   GHSA-xxvw-45rp-3mj2  Critical  64.5% (98th)   58.1
json5            catalog:   1.0.2      npm   GHSA-9c47-m6qq-7p4h  High      40.5% (97th)   29.6
handlebars       ^4.7.7     3.0.8      npm   GHSA-w457-6q6x-cgp9  Critical  24.8% (95th)   23.3
handlebars       ^4.7.7     4.7.7      npm   GHSA-765h-qjxv-5f44  Critical  5.9% (90th)    5.5
handlebars       ^4.7.7     4.7.7      npm   GHSA-f2jv-r9rf-7988  Critical  4.0% (88th)    3.8

I wonder why handlebars is listed up despite a newer version than fixed one is installed. ^4.7.7 seems to be picked from package.json but an exact version is surely described in pnpm-lock.json.

kzantow · October 9, 2025, 7:20pm

Hi @takuyahara, we do support scanning PNPM, but I don’t think the issue here is related to that. It seems the SBOM you downloaded has versions set to things including catalog: and ^4.7.7, which Grype is not able to compare very well. I’m not sure how catalog: would ever really be compared aside from lexicographically, but even a version starting with a carat (^), should probably have removed this character. We could possibly ignore this from the input, but aren’t doing so today. We could also warn that it seems like results may be poor due to unexpected SBOM input, but it seems like the crux of the issue is that the SBOM isn’t very good.

If you download the source files from that repo and scan with Grype, you will see a lot more expected matches.

Just to confirm, did you download the SBOM clicking the Export SBOM button?

willmurphy · October 9, 2025, 7:29pm

By the way @takuyahara we discussed this during our weekly livestream this week: October 9th | Open Source Gardening | Live Stream if you’d like to hear some more details.

takuyahara · October 10, 2025, 1:42am

@kzantow Thank you for the helpful detail. Yes I downloaded SBOM by clicking the Export SBOM button and understood it’s a SBOM quality issue. Generating SBOM from source files with Syft and scanning it with Grype gave me an expected result.

takuyahara · October 10, 2025, 1:43am

@willmurphy Will check it, thanks!

Topic		Replies	Views
Syft own format, how to distinguish dependency vs devDependency for npm? Syft	1	115	October 2, 2024
Grype reporting vulns for unknown versions Grype	14	170	October 15, 2024
August 15th \| Open Source Gardening \| Live Stream Announcements	2	15	January 16, 2025
Grype refers to file in repo after nextjs upgrade Grype	6	47	November 26, 2024
Grype scans in batches large SBOMs Grype	17	175	January 28, 2025

Not supported pnpm yet?

Related topics