Allow npm audit to ignore dev dependencies

[barrynorman]

Add a flag to ignore dev dependencies when running npm audit.
Maybe it could ignore them by default and only check them with a flag.

[khitrenovich]

Yes, having that would be great.
There was an issue in old repository on that, but nothing actually happened.

[kievsash]

+1

[antoniobeltran]

+1

[kievsash]

For now I usually run this command during deploy before running npm audit:
node -e “var fs = require(‘fs’); var content = JSON.parse(fs.readFileSync(‘./package.json’)); delete content.devDependencies; fs.writeFileSync(‘./package.json’, JSON.stringify(content, null, 4))”

[vitorarins]

This has being going for almost a year now I guess.
Any plans on adding this?

[extempl]

Guys? Anyone from NPM? Your attention is needed here.

[extempl]

@welwood08 Are you still working on this?

[welwood08]

It looks like this might have fallen off my radar due to an unfortunate sequence of events. I believe I was waiting for feedback on my 2 PRs in this repo (#26 is the main one relevant to this issue), and then I think the old npm repo must have been archived at about the same time that Gmail started treating all my Github notifications as spam. By the time I'd noticed it had been quiet, there was a lot to try to catch up on!

I assume my still-open PRs in this repo have suffered bit-rot but I haven't been following recent npm code changes to know how much effort would be needed to revive them. I'm not currently in a position to pick up where I left off anyway so if anyone else wants to tackle it, perhaps using my old PRs as a starting point, feel free to do so.

[TooQ]

As a temporary workaround, just remove the devDependencies from your package.json for a moment, and then run npm audit. That way, only your regular dependencies will be checked.

[llaenowyd]

• npm/cli depends on npm-audit-report
• npm/cli uses npm-audit-report to generate the audit output that some find overwhelming

🤔

[ghost]

yarn implemented group-based audit in v1.16.0. Would be nice to see something similar in npm

[jeemok]

for a temporary workaround while waiting for npm to release the ignore feature:

npm install better-npm-audit --save

node node_modules/better-npm-audit audit -i {vulnerability ID}

[nathany]

npm-audit-helper is another third-party option:

npm audit --json | npm-audit-helper --prod-only

[msegers]

wowowow I thought this was already in, we still can not do this with npm audit?

[c-vetter]

Hey everybody,
[TLDR] I think this can be closed.

I wanted to know how to exclude a specific module which does seems to requrie something like @kievsash's hack. I found this issue as well as the related ones in the old repo (npm/npm#20564, npm/npm#20565, npm/npm#20764). I also found some outdated documentation that mentioned a --only=prod CLI parameter.

I tried that out and it did not work as expected (didn't read the documentation too thoroughly 😅), but firstly npm audit --help prints this:

npm audit [--json] [--production]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=(dev|prod)]

Some fiddling yielded this:

• --production flag completely ignores devDependencies
• --only limits the updates to package.json and package.lock.json

So yeah, while my specific use-case is not handled, I think this issue is resolved by now.

Cheers! 😃

[MNF]

It was implemented in “Enable production flag for npm audit #202 ”

[c-vetter]

@barrynorman @isaacs
Can you close this, please?