Please support --production or --only=production in npm audit

(Teppo Kurki) #1

Related original issues:

My troubles are related to devDependencies related to changelog generation and tests that have nothing to do with runtime.

PS. Do I really need to open a new topic when there is already one that has been “resolved” with a comment that does nothing about actually resolving issue (“we are waiting for an RFC”) and then automatically closed? Feel free to close this and reopen the linked one if that is possible.

npm audit (without --fix) ignores --only=prod
(Lars Willighagen) #2

The PR has been submitted in the meantime, and is being discussed here and here.

I believe the automatic closing was due to a misconfiguration; it had nothing to do with an answer being marked as solution, and topics in #ideas no longer have an expiry date. At least, more recent #ideas posts with a marked solution haven’t been closed automatically (1, 2, 3).

(Teppo Kurki) #3

The PR you linked is imho pretty complicated (“one more package-lock.json”) and I don’t see much progress there. Personally I would use a 3rd party tool (the one the author has created) for this.

Leveraging npm core functionality, the distinction between dev and runtime dependencies, would be very much in line with how npm works in general: there are clearly two sets of dependencies, that could be (optionally) treated separately.

Don’t know if it is just me, but I expected --production to Just Work™.

(Lars Willighagen) #4

I know, it was just an update on that message. As for --only=..., it seems there’s some code in place concerning that in the audit code; I’ll look into if that works properly.

Edit: the code that I saw only affects npm audit fix behaviour.

(Hajo Aho-Mantila) #5

Not sure that’s the right way to vote for an idea, but I’m also looking exactly for the behaviour @tkurki describes: npm audit --production should only report vulnerabilities in production dependencies.