DataDog · jbcibois-ddhq · May 15, 2026 · May 4, 2026 · May 4, 2026 · May 4, 2026
@@ -40,7 +40,7 @@ This tool sources all dependencies by parsing package manager files. As new pack
 | C++        | Conan                                     |
 | Go         | Golang                                    |
 | Java       | Gradle, Maven, Bazel (rules_jvm_external) |
-| JavaScript | Bun, NPM, PNPM, Yarn                      |
+| JavaScript | Bun, NPM, PNPM, Yarn, package.json        |
 | PHP        | Composer                                  |
 | Python     | Pdm, Pipenv, Poetry, Requirements, uv     |
 | Ruby       | Bundler                                   |
@@ -97,6 +97,13 @@ NPM, Yarn and PNPM have workspace support
 - This tool only supports extracting packages from `bun.lock` (the text JSONC lockfile introduced in Bun 1.2). The legacy binary `bun.lockb` format is not supported.
 - This tool only supports package information enrichment from `package.json`.
 
+#### package.json (no lockfile)
+
+- This tool supports extracting packages directly from `package.json` when no sibling lockfile (`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`) is present.
+- Parses `dependencies`, `devDependencies`, and `optionalDependencies` sections.
+- Version ranges are stripped to extract base versions (e.g., `^2.3.4` → `2.3.4`).
+- All packages are marked as direct dependencies.
+
 #### NPM
 
 - This tool only supports extracting packages from `package-lock.json`.

@@ -2608,6 +2608,63 @@ Scanned <rootdir>/fixtures/integration-npm/with-workspace/yarn.lock file and fou
 [reachability] Reachability analysis is disabled
 ---
 
+[TestRun/Scan_package.json_without_lock_file - 1]
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "metadata": {
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "datadog",
+          "name": "datadog-sbom-generator",
+          "version": "set at build time, see .goreleaser.yml ldflags section"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:npm/lodash",
+      "type": "library",
+      "name": "lodash",
+      "purl": "pkg:npm/lodash",
+      "properties": [
+        {
+          "name": "datadog:is-direct",
+          "value": "true"
+        },
+        {
+          "name": "datadog:package-manager",
+          "value": "NPM"
+        },
+        {
+          "name": "datadog:version-range",
+          "value": "^4.17.21"
+        }
+      ],
+      "evidence": {
+        "occurrences": [
+          {
+            "location": "{/"block/":{/"file_name/":/"package.json/",/"line_start/":3,/"line_end/":3,/"column_start/":5,/"column_end/":25,/"role/":/"manifest/"},/"name/":{/"file_name/":/"package.json/",/"line_start/":3,/"line_end/":3,/"column_start/":6,/"column_end/":12,/"role/":/"manifest/"},/"version/":{/"file_name/":/"package.json/",/"line_start/":3,/"line_end/":3,/"column_start/":16,/"column_end/":24,/"role/":/"manifest/"}}"
+          }
+        ]
+      }
+    }
+  ]
+}
+
+---
+
+[TestRun/Scan_package.json_without_lock_file - 2]
+Scanning directory './fixtures/integration-package-json', resolved absolute path '<rootdir>/fixtures/integration-package-json'
+Scanned <rootdir>/fixtures/integration-package-json/package.json file and found 1 package
+[reachability] Reachability analysis is disabled
+---
+
 [TestRun/Scan_pyproject.toml_without_lock_file - 1]
 {
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",

@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}
@@ -310,6 +310,11 @@ func TestRun(t *testing.T) {
 			args: []string{"", "--pretty", "--verbosity", "verbose", "--manifest-parsers", "./fixtures/integration-pyproject"},
 			exit: 0,
 		},
+		{
+			name: "Scan package.json without lock file",
+			args: []string{"", "--pretty", "--verbosity", "verbose", "--manifest-parsers", "./fixtures/integration-package-json"},
+			exit: 0,
+		},
 		{
 			name: "Scan maven_install.json (lockfile role)",
 			args: []string{"", "--format=cyclonedx-1-5", "--pretty", "./fixtures/integration-maven-install"},

@@ -287,6 +287,7 @@ func filesToParsers() map[string]string {
 		"mix.lock":                         "mix.lock",
 		"pdm.lock":                         "pdm.lock",
 		"Pipfile.lock":                     "Pipfile.lock",
+		"package.json":                     "package.json",
 		"package-lock.json":                "package-lock.json",
 		"packages.lock.json":               "packages.lock.json",
 		"pnpm-lock.yaml":                   "pnpm-lock.yaml",

@@ -0,0 +1,7 @@
+{
+  "name": "alias-collision",
+  "dependencies": {
+    "react": "17.0.2",
+    "react18": "npm:react@18.3.1"
+  }
+}
@@ -0,0 +1,6 @@
+{
+  "dependencies": {
+    "react17": "npm:react@^17",
+    "react18": "npm:react@^18"
+  }
+}
@@ -0,0 +1,12 @@
+{
+  "name": "all-dep-types",
+  "dependencies": {
+    "express": "^4.18.0"
+  },
+  "devDependencies": {
+    "jest": "~29.7.0"
+  },
+  "optionalDependencies": {
+    "fsevents": "2.3.3"
+  }
+}
@@ -0,0 +1,6 @@
+{
+  "name": "basic-project",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}
@@ -0,0 +1,14 @@
+{
+  "name": "complex-versions",
+  "dependencies": {
+    "pinned": "1.0.0",
+    "eq-pinned": "=2.0.0",
+    "caret": "^2.3.4",
+    "tilde": "~1.5.3",
+    "range": ">=1.0.0 <2.0.0",
+    "aliased": "npm:real-pkg@3.0.0",
+    "local-file": "file:../local",
+    "url-dep": "http://example.com/pkg.tgz",
+    "tag-dep": "latest"
+  }
+}
@@ -0,0 +1,3 @@
+{
+  "name": "empty-project"
+}
@@ -0,0 +1 @@
+{this is not valid json
@@ -0,0 +1,6 @@
+{
+  "name": "has-lockfile",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}
@@ -0,0 +1,6 @@
+{
+  "name": "has-pnpm-lock",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}
@@ -0,0 +1,6 @@
+{
+  "name": "has-yarn-lock",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}
@@ -0,0 +1,6 @@
+{
+  "name": "foo",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}