npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Please provide option to ignore packages in npm audit

Since devDependencies don’t make it into live production anyways, having vulnerabilities there is much less impactful than having vulnerabilities in live packages. It would be greatly helpful if I could filter out the devDependency vulnerabilities to see if a critical update is needed for a live package.

Please provide a flag to skip auditing devDependencies.
npm audit --prod

Also, please provide a flag to ignore a specific package
npm audit --ignore package_to_ignore

This seems like a partial duplicate of

Interactive tool to manage audit findings - npm audit resolve.

There’s also a PR that should solve the other half of this:

Feel free to try npm-audit-resolver out - it’s a prototype of what I’m trying to get built into npm (via an RFC) and some feedback would really help!

Shall we re-open this idea? The pull-request is closed, but not opened in npm/cli.

Built a small package to allow ignoring certain advisories for now until NPM release the ability to ignore them:

Feel free to use it for your project if it fits!