npm 7 with audit-level set fails the install when audit warnings exist
#2715
Comments
ljharb
added
Bug
Caused by npm/cli#2715
Caused by npm/cli#2715
Caused by npm/cli#2715
|
There is a From the readme in npm-audit-report:
This seems to be working as intented. I set my level to |
|
Our config page in "using npm" says the same thing:
|
|
@wraithgar so this was an intentional change in npm 7? can you point me to where that change was decided? |
|
Also, when i set it to “info” i get: audit-level="info" set in environment
npm WARN invalid config Must be one of: low, moderate, high, critical, none, nullnone does work tho. |
|
Yep looks like |
|
@wraithgar i still think this should be reopened, since it was an unintentional change in npm 7. The install is not supposed to fail even if there are audit warnings, and that's what's happening here. |
|
Ah I see what you mean, the |
|
Yes, exactly right. |
|
Ok after a bit of debugging I think this is still acting as it should. If I set my warning level to This is the behavior now (in $ node ../cli install --audit-level info;echo $status
up to date, audited 3 packages in 702ms
1 low severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
1
$ node ../cli install --audit-level low;echo $status
up to date, audited 3 packages in 935ms
1 low severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
1
$ node ../cli install --audit-level moderate;echo $status
up to date, audited 3 packages in 536ms
1 low severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
0 |
|
I still don't think it is. No install should ever fail due to audit warnings, regardless of what the audit level is set to. Only If that was intended to change in npm 7, then that is a pretty major functionality change that was never discussed in an RFC call nor referenced (that I can recall) in a changelog. Please reopen. |
|
@wraithgar the linked PR appears both merged and released, but I'm still seeing this issue in npm v7.11.2: https://github.com/inspect-js/is-generator-function/runs/2515355693 |
|
Can you open a new issue for this @ljharb that clearly outlines the situation? |
|
@wraithgar i can, but the contents would be identical to this - basically, install should never fail due to audit, and currently it does if an explicit audit level is set in config. |
|
This errors seems to only happen if there is a lock file. |
|
@mshima i see it explicitly without a lockfile, since i never use lockfiles in any of my published projects. |
|
Interesting, at our use case it installs correctly and fails at the second call. |
|
Fixed by #3311 |
In npm 6
npm installwas unaffected by theaudit-levelconfig setting. It only affected the exit code ofnpm audititself. In npm 7 this behavior has been carried over tonpm install.Current Behavior:
If I set
audit-levelthennpm installexits uncleanly if there are vulnerabilities found during install that match that level or higher.Expected Behavior:
The exit status of
npm installshould be unaffected by theaudit-levelsetting.Steps To Reproduce:
Make a new package that depends on
"minimist": "~1.1.3".npm installpasses in both npm 6 and npm 7.npm auditfails in both npm 6 and npm 7.NPM_CONFIG_AUDIT_LEVEL=low npm installpasses in npm 6, but fails in npm 7.NPM_CONFIG_AUDIT_LEVEL=low npm auditfails in npm 6 and npm 7.Environment:
The text was updated successfully, but these errors were encountered: