trivy filesystem command does not process correctly for some package-lock.json

[larsriehn]

Description

We wondered why an SBOM created by trivy had no components.
I realised that all scanners are not working (vuln, license, etc).
The reason could be traced to "vue-i18n":

  "devDependencies": {
    ...
    "vue-i18n": "9.0.0",
    ...
  }

If this line is removed from package.json the scanners are working as expected.

Desired Behavior

trivy should process the request and produce an output.

Actual Behavior

No target was found even if a package-lock.json is existing.

trivy filesystem .  --scanners vuln
2026-01-06T16:46:04+01:00	INFO	[vuln] Vulnerability scanning is enabled
2026-01-06T16:46:05+01:00	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-01-06T16:46:05+01:00	INFO	Number of language-specific files	num=1
2026-01-06T16:46:05+01:00	WARN	[report] Supported files for scanner(s) not found.	scanners=[vuln]

Report Summary

┌────────┬──────┬─────────────────┐
│ Target │ Type │ Vulnerabilities │
├────────┼──────┼─────────────────┤
│   -    │  -   │        -        │
└────────┴──────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Reproduction Steps

Try scanning both options I provided.
One shows that a target was found, the other not.

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy filesystem .  --scanners vuln --debug
2026-01-06T16:48:43+01:00	DEBUG	No plugins loaded
2026-01-06T16:48:43+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2026-01-06T16:48:43+01:00	DEBUG	Cache dir	dir="/Users/l00810/Library/Caches/trivy"
2026-01-06T16:48:43+01:00	DEBUG	Cache dir	dir="/Users/l00810/Library/Caches/trivy"
2026-01-06T16:48:43+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-01-06T16:48:43+01:00	DEBUG	Ignore statuses	statuses=[]
2026-01-06T16:48:43+01:00	DEBUG	DB update was skipped because the local DB is the latest
2026-01-06T16:48:43+01:00	DEBUG	DB info	schema=2 updated_at=2026-01-06T12:30:42.9877305Z next_update=2026-01-07T12:30:42.987730229Z downloaded_at=2026-01-06T15:34:35.3693Z
2026-01-06T16:48:43+01:00	DEBUG	[pkg] Package types	types=[os library]
2026-01-06T16:48:43+01:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2026-01-06T16:48:43+01:00	INFO	[vuln] Vulnerability scanning is enabled
2026-01-06T16:48:43+01:00	DEBUG	Initializing scan cache...	type="memory"
2026-01-06T16:48:43+01:00	DEBUG	[notification] Running version check
2026-01-06T16:48:43+01:00	DEBUG	[fs] Analyzing...	root="."
2026-01-06T16:48:43+01:00	DEBUG	Created process-specific temp directory	path="/var/folders/0y/cq4t6szs4396g73y7kjz2mb80000gn/T/trivy-16724"
2026-01-06T16:48:43+01:00	DEBUG	[notification] Version check completed	latest_version="0.68.2"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="canvas" version="^2.5.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="canvas" version="^2.5.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="babel-plugin-macros" version="^3.1.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="node-notifier" version="^8.0.1 || ^9.0.0 || ^10.0.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="node-notifier" version="^8.0.1 || ^9.0.0 || ^10.0.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="node-notifier" version="^8.0.1 || ^9.0.0 || ^10.0.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="ts-node" version=">=9.0.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="node-notifier" version="^8.0.1 || ^9.0.0 || ^10.0.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="bufferutil" version="^4.0.1"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="utf-8-validate" version=">=5.0.2"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="sass-embedded" version="*"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="fibers" version=">= 3.1.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="node-sass" version="^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 || ^9.0.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="stylus" version="*"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="sugarss" version="*"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="yaml" version="^2.4.2"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="jiti" version=">=1.21.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="lightningcss" version="^1.21.0"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="tsx" version="^4.8.1"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="less" version="*"
2026-01-06T16:48:44+01:00	DEBUG	[npm] Unable to resolve the version	name="sass-embedded" version="*"
2026-01-06T16:48:44+01:00	DEBUG	OS is not detected.
2026-01-06T16:48:44+01:00	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-01-06T16:48:44+01:00	DEBUG	Detected OS: unknown
2026-01-06T16:48:44+01:00	INFO	Number of language-specific files	num=1
2026-01-06T16:48:44+01:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2026-01-06T16:48:44+01:00	DEBUG	[vex] VEX filtering is disabled
2026-01-06T16:48:44+01:00	WARN	[report] Supported files for scanner(s) not found.	scanners=[vuln]

Report Summary

┌────────┬──────┬─────────────────┐
│ Target │ Type │ Vulnerabilities │
├────────┼──────┼─────────────────┤
│   -    │  -   │        -        │
└────────┴──────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-01-06T16:48:44+01:00	DEBUG	Cleaning up temp directory	path="/var/folders/0y/cq4t6szs4396g73y7kjz2mb80000gn/T/trivy-16724"

Operating System

macOS Sequoia 15.6.1 (24G90)

Version

Version: 0.68.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-01-06 12:30:42.9877305 +0000 UTC
  NextUpdate: 2026-01-07 12:30:42.987730229 +0000 UTC
  DownloadedAt: 2026-01-06 15:34:35.3693 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-28 00:57:18.20626172 +0000 UTC
  NextUpdate: 2025-12-01 00:57:18.206261439 +0000 UTC
  DownloadedAt: 2025-11-28 10:15:06.742798 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[larsriehn]

Good and bad package-lock.json to reproduce the issue.
trivy-issue.zip