audit: env selection for report

[larsgw]

Select dependency environments with --only, --also and --production for
reports as well, instead of just for audit fix. Still reports the
filtered advisories, but changes the exit code (as is done with
advisories below --audit-level). Tests need updating due to the new way
of counting vulnerabilities.

See https://npm.community/t/3959

[sneakypete81]

Thanks very much for doing this.

Still reports the filtered advisories

Maybe I've misunderstood, but if I run npm audit --only=prod I wouldn't expect to see any advisories from dev dependencies.

[larsgw]

Maybe I've misunderstood, but if I run npm audit --only=prod I wouldn't expect to see any advisories from dev dependencies.

@sneakypete81 I know, but that requires either modifying the audit report, which could have unintended side effects, or changing all the reporters. Since --audit-level also reports advisories under the set severity (correct me if I'm wrong), this seemed like warranted behavior.

[mikecbrant]

Anxiously awaiting merge. Thanks, @larsgw

[evilpacket]

I did a quick test of --audit-level and it worked as I would intend it to.

I would expect these flags to be passed along to the reporters and for them to act appropriately, such as @sneakypete81 suggests when I say --only=prod to not show advisories that pertain to dev dependencies.

Looks like npm audit help would also need some updating to represent the new flags but I'm not sure the standard that's been set forth by the cli team for these things.

[iarna]

As Adam suggests, docs should be added to doc/cli/npm-audit.md and doc/misc/npm-config.md

Reporter filters go in https://github.com/npm/npm-audit-report/pulls and should be PRed there (please add a note here when they are)

[larsgw]

I added the docs. --audit-level doesn't filter the reports on my end (v6.5.0), should I add that as well as the env filters?

$ npm ini -y
$ npm i underscore.string@3.3.4
$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install underscore.string@3.3.5  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/745                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 1 moderate severity vulnerability in 3 scanned packages
  run `npm audit fix` to fix 1 of them.

$ echo $?
1

$ npm audit --audit-level high
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install underscore.string@3.3.5  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/745                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 1 moderate severity vulnerability in 3 scanned packages
  run `npm audit fix` to fix 1 of them.

$ echo $?
0

[perrosen]

Any movement on this? Is there something I can do to help speeding this up? This is one of my most wanted features for npm audit since launch. Seeing CI builds fail because of dev dependencies is becoming a real annoyance.

[MNF]

Is it similar to implemented “Enable production flag for npm audit #202 ”?

[IPWright83]

Are there updates on this at all? I've got builds failing on our pipeline (and similarly don't want to auto fix them during the build), but it's all because of jest dependencies - which really don't matter at runtime.

[lucasfevi]

@IPWright83 there is now a production flag for npm audit on npm version v6.10+. Check the release notes: https://github.com/npm/cli/releases/tag/v6.10.0

[SoerenHenning]

Even though the --production flag is a nice improvement, we could only take full advantage of it if accompanied by a --development flag or so. Our use case is as follows: We would like to run npm audit as part of our build pipeline for both production and development dependencies. However, the build process should only fail for vulnerabilities in production. For vulnerabilities in dev dependencies, only a warning should be generated.