npm audit's "scanned package" count showing impossible numbers

What I Wanted to Do

I ran npm audit, and expected a summary line showing vulnerability counts and the total number of scanned dependencies.

What Happened Instead

found 1 low severity vulnerability in **476998** scanned packages

Reproduction Steps

I’ve witnessed that on two separate code bases, upgrading from jest 23.x to 24.x causes this “scanned packages” count to balloon by about 450,000 packages! For comparison, the actual number of dependencies in one of them is 509.

Details

You could probably repro against this code: https://github.com/change/longlinks/tree/d968cbcaf7eb4d426fb7876874e6fdfc9c0c7e23

Platform Info

$ npm --versions
{ '@change-org/longlinks': '0.1.1',
  npm: '6.9.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.3',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.51',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

Reproduced this issue in two separate projects at work.

Adding jest to my package.json adds 860,844 dependencies, according to the “Packages audited” number from yarn audit.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.