New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow npm audit to ignore dev dependencies #31
Comments
Yes, having that would be great. |
+1 |
1 similar comment
+1 |
For now I usually run this command during deploy before running npm audit: |
This has being going for almost a year now I guess. |
Guys? Anyone from NPM? Your attention is needed here. |
@welwood08 Are you still working on this? |
It looks like this might have fallen off my radar due to an unfortunate sequence of events. I believe I was waiting for feedback on my 2 PRs in this repo (#26 is the main one relevant to this issue), and then I think the old npm repo must have been archived at about the same time that Gmail started treating all my Github notifications as spam. By the time I'd noticed it had been quiet, there was a lot to try to catch up on! I assume my still-open PRs in this repo have suffered bit-rot but I haven't been following recent npm code changes to know how much effort would be needed to revive them. I'm not currently in a position to pick up where I left off anyway so if anyone else wants to tackle it, perhaps using my old PRs as a starting point, feel free to do so. |
As a temporary workaround, just remove the devDependencies from your package.json for a moment, and then run npm audit. That way, only your regular dependencies will be checked. |
|
for a temporary workaround while waiting for npm to release the ignore feature:
|
npm-audit-helper is another third-party option:
|
wowowow I thought this was already in, we still can not do this with npm audit? |
Hey everybody, I wanted to know how to exclude a specific module which does seems to requrie something like @kievsash's hack. I found this issue as well as the related ones in the old repo (npm/npm#20564, npm/npm#20565, npm/npm#20764). I also found some outdated documentation that mentioned a I tried that out and it did not work as expected (didn't read the documentation too thoroughly 😅), but firstly npm audit [--json] [--production]
npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=(dev|prod)] Some fiddling yielded this:
So yeah, while my specific use-case is not handled, I think this issue is resolved by now. Cheers! 😃 |
It was implemented in “Enable production flag for npm audit #202 ” |
@barrynorman @isaacs |
Add a flag to ignore dev dependencies when running
npm audit
.Maybe it could ignore them by default and only check them with a flag.
The text was updated successfully, but these errors were encountered: