npm 7 with `audit-level` set fails the install when audit warnings exist

[ljharb]

In npm 6 npm install was unaffected by the audit-level config setting. It only affected the exit code of npm audit itself. In npm 7 this behavior has been carried over to npm install.

Current Behavior:

If I set audit-level then npm install exits uncleanly if there are vulnerabilities found during install that match that level or higher.

Expected Behavior:

The exit status of npm install should be unaffected by the audit-level setting.

Steps To Reproduce:

Make a new package that depends on "minimist": "~1.1.3".

• npm install passes in both npm 6 and npm 7.

• npm audit fails in both npm 6 and npm 7.

• NPM_CONFIG_AUDIT_LEVEL=low npm install passes in npm 6, but fails in npm 7.

• NPM_CONFIG_AUDIT_LEVEL=low npm audit fails in npm 6 and npm 7.

Environment:

• npm: v6.14.11 and v7.5.4

[wraithgar]

There is a low level advisory for minimist at that level, so if you set the audit level to low it will exit w/ a statusCode of 1. If you set the level to info it will exit with a statusCode of 0.

From the readme in npm-audit-report:

level of vulnerability that will trigger a non-zero exit code (set to 'none' to always exit with a 0 status code

This seems to be working as intented. I set my level to info and got an exitCode of 0.

[wraithgar]

Our config page in "using npm" says the same thing:

The minimum level of vulnerability for npm audit to exit with a non-zero exit code.

[ljharb]

@wraithgar so this was an intentional change in npm 7? can you point me to where that change was decided?

[ljharb]

Also, when i set it to “info” i get:

audit-level="info" set in environment
npm WARN invalid config Must be one of: low, moderate, high, critical, none, null

none does work tho.

[wraithgar]

Yep looks like info isn't in the list. will make a PR for that, and leverage our fancy new parameter usage output to add it to the npm usage -h output