Dependency graph with npm-shrinkwrap?

[johnnaegle]

I have a javascript project that is using npm-shrinkwrap.json instead of package-lock.json.

The dependency graph does not seem to analyze npm-shrinkwrap, only package-lock. The eco-system support only lists package.json and package-lock.json as supported dependency sources.

The dependency graph is pretty important to supply-chain security:

The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository.

Is there anyway to have dependencies from npm-shrinkwrap.json included in the dependency graph so we can receive dependabot alerts for vulnerable packages?