-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm 7 with audit-level
set fails the install when audit warnings exist
#2715
Comments
Caused by npm/cli#2715
Caused by npm/cli#2715
Caused by npm/cli#2715
There is a From the readme in npm-audit-report:
This seems to be working as intented. I set my level to |
Our config page in "using npm" says the same thing:
|
@wraithgar so this was an intentional change in npm 7? can you point me to where that change was decided? |
Also, when i set it to “info” i get: audit-level="info" set in environment
npm WARN invalid config Must be one of: low, moderate, high, critical, none, null none does work tho. |
Yep looks like |
@wraithgar i still think this should be reopened, since it was an unintentional change in npm 7. The install is not supposed to fail even if there are audit warnings, and that's what's happening here. |
Ah I see what you mean, the |
Yes, exactly right. |
Ok after a bit of debugging I think this is still acting as it should. If I set my warning level to This is the behavior now (in $ node ../cli install --audit-level info;echo $status
up to date, audited 3 packages in 702ms
1 low severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
1
$ node ../cli install --audit-level low;echo $status
up to date, audited 3 packages in 935ms
1 low severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
1
$ node ../cli install --audit-level moderate;echo $status
up to date, audited 3 packages in 536ms
1 low severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
0 |
I still don't think it is. No install should ever fail due to audit warnings, regardless of what the audit level is set to. Only If that was intended to change in npm 7, then that is a pretty major functionality change that was never discussed in an RFC call nor referenced (that I can recall) in a changelog. Please reopen. |
@wraithgar the linked PR appears both merged and released, but I'm still seeing this issue in npm v7.11.2: https://github.com/inspect-js/is-generator-function/runs/2515355693 |
Can you open a new issue for this @ljharb that clearly outlines the situation? |
@wraithgar i can, but the contents would be identical to this - basically, install should never fail due to audit, and currently it does if an explicit audit level is set in config. |
This errors seems to only happen if there is a lock file. |
@mshima i see it explicitly without a lockfile, since i never use lockfiles in any of my published projects. |
Interesting, at our use case it installs correctly and fails at the second call. |
Fixed by #3311 |
In npm 6
npm install
was unaffected by theaudit-level
config setting. It only affected the exit code ofnpm audit
itself. In npm 7 this behavior has been carried over tonpm install
.Current Behavior:
If I set
audit-level
thennpm install
exits uncleanly if there are vulnerabilities found during install that match that level or higher.Expected Behavior:
The exit status of
npm install
should be unaffected by theaudit-level
setting.Steps To Reproduce:
Make a new package that depends on
"minimist": "~1.1.3"
.npm install
passes in both npm 6 and npm 7.npm audit
fails in both npm 6 and npm 7.NPM_CONFIG_AUDIT_LEVEL=low npm install
passes in npm 6, but fails in npm 7.NPM_CONFIG_AUDIT_LEVEL=low npm audit
fails in npm 6 and npm 7.Environment:
The text was updated successfully, but these errors were encountered: