Summary
Symfony's AssetMapper component (introduced in Symfony 6.3, stable since 6.4) uses importmap.php to manage frontend JavaScript dependencies. This file contains npm packages with exact, pinned versions - making it functionally equivalent to a lockfile for the purposes of vulnerability scanning.
Example importmap.php:
return [
'app' => [
'path' => './assets/app.js',
'entrypoint' => true,
],
'@hotwired/stimulus' => [
'version' => '3.2.2',
],
'@hotwired/turbo' => [
'version' => '7.3.0',
],
];Use case
A Symfony project using AssetMapper may still have a package.json for build tooling, but JavaScript asset dependencies live exclusively in importmap.php - package-lock.json won't contain them. Without importmap.php support, these npm packages are invisible to osv-scanner.
importmap.php support would essentially act as a preprocessor feeding into the existing npm ecosystem scanning - no new vulnerability data source needed.
Ecosystem mapping
Each package entry maps directly to an npm package + version, which OSV already covers.
Summary
Symfony's AssetMapper component (introduced in Symfony 6.3, stable since 6.4) uses
importmap.phpto manage frontend JavaScript dependencies. This file contains npm packages with exact, pinned versions - making it functionally equivalent to a lockfile for the purposes of vulnerability scanning.Example
importmap.php:Use case
A Symfony project using AssetMapper may still have a
package.jsonfor build tooling, but JavaScript asset dependencies live exclusively inimportmap.php-package-lock.jsonwon't contain them. Withoutimportmap.phpsupport, these npm packages are invisible to osv-scanner.importmap.phpsupport would essentially act as a preprocessor feeding into the existing npm ecosystem scanning - no new vulnerability data source needed.Ecosystem mapping
Each package entry maps directly to an npm package + version, which OSV already covers.