npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit (without --fix) ignores --only=prod

What I Wanted to Do

Since NSP has shut down and stopped responding, I was making the migration to using npm audit. Production dependencies are free of vulnerabilities, but gulp is staying at v3.9.1 for this release cycle due to major changes in the gulpfile, and that version has a vulnerability.

What Happened Instead

The vulnerability has nothing to do with the application itself, but NSP was, and now npm audit is, part of the pre-deploy process and exits with a non-zero code even when only devDependencies have vulnerabilities. I tried with “–only=prod” and “–production” to no avail.

Reproduction Steps

npm init
npm i -D gulp@3.9.1
npm audit --only=prod


Platform Info

$ npm --versions

{ 'my-application': '3.5.1',
  npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '31.0.1',
  http_parser: '2.7.0',
  icu: '59.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.9.4',
  openssl: '1.0.2n',
  tz: '2017b',
  unicode: '9.0',
  uv: '1.15.0',
  v8: '6.1.534.50',
  zlib: '1.2.11' }

$ node -p process.platform


Note that we cannot use --fix because this is part of the CI process. We just want errors from the process and we will update locally and merge through a PR

Related posts:

@zkat I could just make a PR for this, I don’t know if that other RFC is really needed for this part.

I’m moving this to #ideas, tbh, since the place to discuss this right now is in the RFC.

But npm audit resolve doesn’t apply to non-resolving (reporting) audit runs, right? From the RFC:

The implementation is, and should remain, runnable standalone as a separate package with minor wrapping code - useful for testing new features without bundling unfinished work with npm cli versions and therefore node.js.

This is about the existing npm audit command. Should I make a RFC for that?

oh hm. Sorry, I thought you were referring to the feature request I’d seen previously that asked for this.

Yeah, I’d take a PR.

Here you go: