npm audit only for production dependencies?

About

Asked 15/5, 2018 at 14:13 Answered 2/7, 2022 at 17:52

Currently, when running npm audit in a project, it checks both the dependencies and the devDependencies. I am looking for a way to only check the dependencies. Is there currently a way to do so?

Shote answered 15/5, 2018 at 14:13 Comment(2)

I couldn't find anything for now, but, apparently, there is a PR submitted about it - github.com/npm/npm/pull/20594 – Winograd 15/5, 2018 at 14:29

Awesome, so it is jut a matter of time. Thanks! – Shote 16/5, 2018 at 7:7

Support for --production flag was released in npm 6.10.0

https://github.com/npm/cli/pull/202

npm audit --production

The --omit flag was added in npm 7.x and is now preferred.

https://docs.npmjs.com/cli/v8/commands/npm-audit/#omit

npm audit --omit=dev

Christinchristina answered 17/1, 2020 at 1:29 Comment(1)

--production seems deprecated and you should use --omit=dev instead. See my answer below for more information. – Oscillator 2/7, 2022 at 17:53

You should use --omit=dev rather than --production according to warnings on more recent npm versions:

$ npm audit --production
npm WARN config production Use `--omit=dev` instead.

It seems to be deprecated as of npm v8.7.0. I wasn't able to confirm, but this PR seems the most relevant from my research: https://github.com/npm/cli/pull/4744

Looking into the PR's description, it's possible you should be specifying --omit peer as well.

Oscillator answered 2/7, 2022 at 17:52 Comment(1)

Looks like, according to the docs, "npm audit checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies, but does not check peerDependencies.", which means that --omit=peer should have no effect here, and as such shouldn't be necessary. – Mosier 25/8, 2023 at 22:29

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags