For NPM and Yarn we support both
yarn.lock. However, we recommend you to commit one of the lock files in order to get the most accurate tracking. If you only commit your
package.json file, we will resolve all dependencies to their latest available versions as defined by your version constraints.
In the case of Bower, we support the
bower.json file. We will resolve all dependencies to their latest available versions as defined by your version constraints.
By keeping at lease one of the supported files committed to your repository, we will automatically scan it/them for dependencies when you have done any of our integrations to your CI/CD pipeline.