npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit doesn't use the audit-level for the exit code

What I Wanted to Do

I wanted to use npm audit with a audit-level to high
so:
npm set audit-level high
npm config set audit-level high
npm audit
found 3 vulnerabilities (2 low, 1 moderate) in 44944 scanned packages
3 vulnerabilities require manual review. See the full report for details.
exit code 0

What Happened Instead

found 3 vulnerabilities (2 low, 1 moderate) in 44944 scanned packages
3 vulnerabilities require manual review. See the full report for details.
ERROR: Job failed: exit code 1

Reproduction Steps

  1. have a dependency of Moderate level and none: high or critical
  2. set audit-level to high
  3. command exit with non zero code

Details

Platform Info

$ npm --versions
{ 'ecommerce.web': '0.19.0',
  npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform
win32


Do you have a set of dependencies to trigger this? I can’t seem to reproduce it myself at the moment.


Its enough to get latest version of webpack-spritesmith.

It contains a Moderate vulnerability


Weird, I’m still not seeing it… The source code seems to respect the audit-level setting, can you confirm npm is recognizing the config correctly by running

npm config get audit-level

in your project directory? Otherwise, I really have no idea…



as you can see it exits with code 1 rather than 0


maybe is using the default audit-level rather than just audit-level in code


Can anyone help with this?
It doesn’t work even if you put the audit-level as an option to the audit command


Had the same issue, update npm version to 6.5.0 and now it works properly.


This issue can be closed, the version was lower therefore audit-level was not working