The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
audit and --package-lock-only
npm audit will recommend running
npm i --package-lock-only if you have no
package-lock.json. However, if you have
package-lock: false in
.npmrc, that command does nothing. What the person wants is
npm i --package-lock --package-lock-only. It would probably be a good idea to either detect that fact and recommend a different command or to change
--package-lock-only to override
Thanks for bringing this up. I’m thinking that in these cases we simply do the action for the user and throw away the result if it’s not desired to keep the package-lock.json around. It would take a bit longer for an
npm audit run but there is no reason here for the end user to have to do this work when we know exactly what should be done to run a proper audit. Based on what I know cli team has this on their todo list.