Why are yarn.lock files excluded from code search?

[tomhoad]

Select Topic Area

Question

Body

As the title suggests, yarn.lock files are excluded from code search results:

path:yarn.lock repo:my-repo

Other lockfiles (e.g. npm package-lock.json) are not excluded:

path:package-lock.json repo:my-repo

Presumably because this is recognised as a json file, not a lock file.

Why is this? Being able to scan for lockfiles of all types improves security posture as we can see all dependencies and transitive dependencies (and versions) in one place across all our repositories.

[Exodus2004]

Hi there! 👋 Great question—I've wondered this myself! You're absolutely right: yarn.lock files don’t show up in GitHub code search (even with path:yarn.lock), while package-lock.json does. Here’s why it happens and what you can do instead:

Why yarn.lock gets hidden (but package-lock.json doesn’t)
GitHub automatically classifies files to keep search results clean and fast. Since yarn.lock has a custom format (not standard JSON/YAML), GitHub recognizes it as a lock file and excludes it from search—alongside other auto-generated files like dist/ or node_modules/.

Meanwhile, package-lock.json flies under the radar because it has a .json extension, so GitHub treats it like regular code (not a "lock file"). Sneaky, right?

🛡️ For security scanning: Better ways to find ALL dependencies
You’re spot-on—being able to scan all lock files (across repos) is key for security! Instead of relying on code search, try these official GitHub tools designed just for this:

GitHub Advanced Security (GHAS)
→ Dependency Graph automatically parses every lock file (yarn, npm, pip, etc.) across your repos.
→ Dependabot Alerts will proactively warn you about vulnerable dependencies.
(No searching needed—it’s all in Security > Insights!)
GitHub API (quick & reliable)
Use this to fetch yarn.lock contents directly:

curl -H "Authorization: token YOUR_TOKEN" \
  https://api.github.com/repos/OWNER/REPO/contents/yarn.lock

Security-focused tools
Tools like Dependabot (free for public repos!), Snyk, or Trivy scan all lock files by design—they’re built for exactly this use case. 🙌
💡 Pro tip
If you’re on GitHub Enterprise, ask your admin to enable Dependency Insights—it gives you a unified view of all dependencies (and vulnerabilities) across your organization. Way more powerful than searching!

Hope this helps! I know it’s frustrating when search acts differently for similar files—but GitHub’s security tools actually make this easier than code search ever could. If you’d like help setting up Dependabot or GHAS, just reply—I’d be happy to walk you through it!

(P.S. If this solves your puzzle, feel free to mark it as the accepted answer!😊😊)