How am I supposed to address `npm audit` vulnerabilities that don't apply to me?

(Isiah Meadows) #1

The general exception list feature request was originally filed here, and the devDependencies exclusion feature request was originally filed here. I haven’t commented in either, but I decided to resurrect them both here.

When I run npm audit, I find that none of the vulnerabilities actually apply to me. They all deal with Karma, and they already know about the issue. My module itself only has 8 runtime dependencies (including indirect), none of which are vulnerable.

How am I supposed to address the npm audit result, since Karma knows about the issue, but it still doesn’t really affect me?

(I’m more likely to download a malicious package than I am to actually get bit by any of these due to Karma.)

Also, while we’re on that subject, shouldn’t there be a way to list an explicit exception to the audit, in case it doesn’t affect me or if I mitigated it without having to upgrade? And on top of that, do devDependencies really need included at the same level as normal dependencies, since they generally only run with highly controlled inputs and outputs?

Please support --production or --only=production in npm audit
npm audit (without --fix) ignores --only=prod
(Isiah Meadows) #2

Bump? (I feel this kind of got missed, and I don’t it to be autoclosed yet.)

(Kat Marchán) #6

We’re mostly just waiting for an RFC based on this PR do we can have a discussion about it. Once the RFC is filed, this will move forward.

(system) #7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.