The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Please support --production or --only=production in npm audit
Related original issues:
- How am I supposed to address `npm audit` vulnerabilities that don't apply to me?
My troubles are related to devDependencies related to changelog generation and tests that have nothing to do with runtime.
PS. Do I really need to open a new topic when there is already one that has been “resolved” with a comment that does nothing about actually resolving issue (“we are waiting for an RFC”) and then automatically closed? Feel free to close this and reopen the linked one if that is possible.
I believe the automatic closing was due to a misconfiguration; it had nothing to do with an answer being marked as solution, and topics in #ideas no longer have an expiry date. At least, more recent #ideas posts with a marked solution haven’t been closed automatically (1, 2, 3).
The PR you linked is imho pretty complicated (“one more package-lock.json”) and I don’t see much progress there. Personally I would use a 3rd party tool (the one the author has created) for this.
Leveraging npm core functionality, the distinction between dev and runtime dependencies, would be very much in line with how npm works in general: there are clearly two sets of dependencies, that could be (optionally) treated separately.
Don’t know if it is just me, but I expected
--production to Just Work™.
I know, it was just an update on that message. As for
--only=..., it seems there’s some code in place concerning that in the audit code; I’ll look into if that works properly.
Edit: the code that I saw only affects
npm audit fix behaviour.
Not sure that’s the right way to vote for an idea, but I’m also looking exactly for the behaviour @tkurki describes:
npm audit --production should only report vulnerabilities in production dependencies.
I’d also expect
npm audit --production to work, especially as it is documented as a general option to