-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit: env selection for report #125
Conversation
Select dependency environments with --only, --also and --production for reports as well, instead of just for audit fix. Still reports the filtered advisories, but changes the exit code (as is done with advisories below --audit-level). Tests need updating due to the new way of counting vulnerabilities. See https://npm.community/t/3959
Thanks very much for doing this.
Maybe I've misunderstood, but if I run |
@sneakypete81 I know, but that requires either modifying the audit report, which could have unintended side effects, or changing all the reporters. Since |
Anxiously awaiting merge. Thanks, @larsgw |
I did a quick test of I would expect these flags to be passed along to the reporters and for them to act appropriately, such as @sneakypete81 suggests when I say Looks like |
As Adam suggests, docs should be added to Reporter filters go in https://github.com/npm/npm-audit-report/pulls and should be PRed there (please add a note here when they are) |
I added the docs.
|
db63b89
to
b09bc8c
Compare
The security script might come back when this is merged and released: npm/cli#125
The security script might come back when this is merged and released: npm/cli#125
The security script might come back when this is merged and released: npm/cli#125
The security script might come back when this is merged and released: npm/cli#125
The security script might come back when this is merged and released: npm/cli#125
Any movement on this? Is there something I can do to help speeding this up? This is one of my most wanted features for npm audit since launch. Seeing CI builds fail because of dev dependencies is becoming a real annoyance. |
The security check might come back when this is merged and released: npm/cli#125
The security script might come back when this is merged and released: npm/cli#125
…d and gone The security check might come back when this is merged and released: npm/cli#125
The security script might come back when this is merged and released: npm/cli#125
Is it similar to implemented “Enable production flag for npm audit #202 ”? |
Are there updates on this at all? I've got builds failing on our pipeline (and similarly don't want to auto fix them during the build), but it's all because of |
@IPWright83 there is now a production flag for |
Even though the |
Select dependency environments with --only, --also and --production for
reports as well, instead of just for audit fix. Still reports the
filtered advisories, but changes the exit code (as is done with
advisories below --audit-level). Tests need updating due to the new way
of counting vulnerabilities.
See https://npm.community/t/3959