audit and --package-lock-only


(Joshua) #1

npm audit will recommend running npm i --package-lock-only if you have no package-lock.json. However, if you have package-lock: false in .npmrc, that command does nothing. What the person wants is npm i --package-lock --package-lock-only. It would probably be a good idea to either detect that fact and recommend a different command or to change --package-lock-only to override package-lock: no.

From: https://github.com/npm/npm/issues/20584


(Adam Baldwin) #2

Thanks for bringing this up. I’m thinking that in these cases we simply do the action for the user and throw away the result if it’s not desired to keep the package-lock.json around. It would take a bit longer for an npm audit run but there is no reason here for the end user to have to do this work when we know exactly what should be done to run a proper audit. Based on what I know cli team has this on their todo list.