Allow npm audit to ignore dev dependencies

[barrynorman]

Add a flag to ignore dev dependencies when running npm audit.
Maybe it could ignore them by default and only check them with a flag.

[khitrenovich]

Yes, having that would be great.
There was an issue in old repository on that, but nothing actually happened.

[kievsash]

+1

[antoniobeltran]

+1

[kievsash]

For now I usually run this command during deploy before running npm audit:
node -e “var fs = require(‘fs’); var content = JSON.parse(fs.readFileSync(‘./package.json’)); delete content.devDependencies; fs.writeFileSync(‘./package.json’, JSON.stringify(content, null, 4))”

[vitorarins]

This has being going for almost a year now I guess.
Any plans on adding this?

[extempl]

Guys? Anyone from NPM? Your attention is needed here.

[extempl]

@welwood08 Are you still working on this?

[welwood08]

It looks like this might have fallen off my radar due to an unfortunate sequence of events. I believe I was waiting for feedback on my 2 PRs in this repo (#26 is the main one relevant to this issue), and then I think the old npm repo must have been archived at about the same time that Gmail started treating all my Github notifications as spam. By the time I'd noticed it had been quiet, there was a lot to try to catch up on!

I assume my still-open PRs in this repo have suffered bit-rot but I haven't been following recent npm code changes to know how much effort would be needed to revive them. I'm not currently in a position to pick up where I left off anyway so if anyone else wants to tackle it, perhaps using my old PRs as a starting point, feel free to do so.

[TooQ]

As a temporary workaround, just remove the devDependencies from your package.json for a moment, and then run npm audit. That way, only your regular dependencies will be checked.

[llaenowyd]

• npm/cli depends on npm-audit-report
• npm/cli uses npm-audit-report to generate the audit output that some find overwhelming

🤔

yarn implemented group-based audit in v1.16.0. Would be nice to see something similar in npm

[jeemok]

for a temporary workaround while waiting for npm to release the ignore feature:

npm install better-npm-audit --save

node node_modules/better-npm-audit audit -i {vulnerability ID}

[nathany]

npm-audit-helper is another third-party option:

npm audit --json | npm-audit-helper --prod-only