The general exception list feature request was originally filed here, and the
devDependencies exclusion feature request was originally filed here. I haven’t commented in either, but I decided to resurrect them both here.
When I run
npm audit, I find that none of the vulnerabilities actually apply to me. They all deal with Karma, and they already know about the issue. My module itself only has 8 runtime dependencies (including indirect), none of which are vulnerable.
How am I supposed to address the
npm audit result, since Karma knows about the issue, but it still doesn’t really affect me?
(I’m more likely to download a malicious package than I am to actually get bit by any of these due to Karma.)
Also, while we’re on that subject, shouldn’t there be a way to list an explicit exception to the audit, in case it doesn’t affect me or if I mitigated it without having to upgrade? And on top of that, do
devDependencies really need included at the same level as normal dependencies, since they generally only run with highly controlled inputs and outputs?