npm audit (without --fix) ignores --only=prod

(Jeremy Forsythe) #1

What I Wanted to Do

Since NSP has shut down and stopped responding, I was making the migration to using npm audit. Production dependencies are free of vulnerabilities, but gulp is staying at v3.9.1 for this release cycle due to major changes in the gulpfile, and that version has a vulnerability.

What Happened Instead

The vulnerability has nothing to do with the application itself, but NSP was, and now npm audit is, part of the pre-deploy process and exits with a non-zero code even when only devDependencies have vulnerabilities. I tried with “–only=prod” and “–production” to no avail.

Reproduction Steps

npm init
npm i -D gulp@3.9.1
npm audit --only=prod


Platform Info

$ npm --versions

{ 'my-application': '3.5.1',
  npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '31.0.1',
  http_parser: '2.7.0',
  icu: '59.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.9.4',
  openssl: '1.0.2n',
  tz: '2017b',
  unicode: '9.0',
  uv: '1.15.0',
  v8: '6.1.534.50',
  zlib: '1.2.11' }

$ node -p process.platform


(Jeremy Forsythe) #2

Note that we cannot use --fix because this is part of the CI process. We just want errors from the process and we will update locally and merge through a PR

(Lars Willighagen) #3

Related posts:

@zkat I could just make a PR for this, I don’t know if that other RFC is really needed for this part.

(Kat Marchán) #4

I’m moving this to #ideas, tbh, since the place to discuss this right now is in the RFC.

(Lars Willighagen) #5

But npm audit resolve doesn’t apply to non-resolving (reporting) audit runs, right? From the RFC:

The implementation is, and should remain, runnable standalone as a separate package with minor wrapping code - useful for testing new features without bundling unfinished work with npm cli versions and therefore node.js.

This is about the existing npm audit command. Should I make a RFC for that?

(Kat Marchán) #6

oh hm. Sorry, I thought you were referring to the feature request I’d seen previously that asked for this.

Yeah, I’d take a PR.

(Lars Willighagen) #7

Here you go:

(system) closed #8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.