We would like to add
npm audit to our CI pipeline but do not want to block our pipeline for issues that are currently unfixable.
If a new issue comes up in a package we depend on, its likely already been deployed to production and do not want to block our entire pipeline for an issue we can’t actively do anything about and already exists in our system.
On the other hand if the security issue is fixable then we would like to cause the builds to block until someone applies the fix.
For that reason I would like to propose:
npm audit --error-on-fixable
Which would continue to print out all of the known audit errors respecting the same flags as it does today but would additionally return
0 if there are no fixable errors in the list or
1 if there are fixable errors.
Without the flag the behavior would be the current default which is to return
1 if there are any errors at all.