Current behavior when running npm install on the command line:
- i do an npm install
- things install
- I get a warning of about how many vulnerabilities there are + their level.
- my reaction great! geez i wish i knew
Desired behavior on the command line client:
- do an npm install.
- get meta data about needed packages and if there are any vulnerabilities + how severe they are
- display the same warning to user, ask for consent to proceed
- leave it to the user to weigh in their option before typing y to install anyway
If the number of installs for a package go down, that might create an incentive for package managers to update their dependencies or code. Also, out of respect for the user, we should tell him/her beforehand.
What do you think?