npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit's "scanned package" count showing impossible numbers

What I Wanted to Do

I ran npm audit, and expected a summary line showing vulnerability counts and the total number of scanned dependencies.

What Happened Instead

found 1 low severity vulnerability in **476998** scanned packages

Reproduction Steps

I’ve witnessed that on two separate code bases, upgrading from jest 23.x to 24.x causes this “scanned packages” count to balloon by about 450,000 packages! For comparison, the actual number of dependencies in one of them is 509.


You could probably repro against this code:

Platform Info

$ npm --versions
{ '@change-org/longlinks': '0.1.1',
  npm: '6.9.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.3',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

Reproduced this issue in two separate projects at work.

Adding jest to my package.json adds 860,844 dependencies, according to the “Packages audited” number from yarn audit.