Please provide option to ignore packages in npm audit


(nop) #1

Since devDependencies don’t make it into live production anyways, having vulnerabilities there is much less impactful than having vulnerabilities in live packages. It would be greatly helpful if I could filter out the devDependency vulnerabilities to see if a critical update is needed for a live package.

Please provide a flag to skip auditing devDependencies.
npm audit --prod

Also, please provide a flag to ignore a specific package
npm audit --ignore package_to_ignore

(Kat Marchán) #2

This seems like a partial duplicate of

Interactive tool to manage audit findings - npm audit resolve.

There’s also a PR that should solve the other half of this:

(Zbyszek Tenerowicz) #3

Feel free to try npm-audit-resolver out - it’s a prototype of what I’m trying to get built into npm (via an RFC) and some feedback would really help!

(Franklin Yu) #4

Shall we re-open this idea? The pull-request is closed, but not opened in npm/cli.

(Jee Mok) #5

Built a small package to allow ignoring certain advisories for now until NPM release the ability to ignore them:

Feel free to use it for your project if it fits!