Yes, we scan for vulnerabilities in JavaScript/TypeScript dependencies listed in package.json, and – if available – package-lock.json and yarn.lock. There is currently one caveat, which is that the current version of Ketryx only parses yarn v1 lock files, not yet yarn 2+.