Currently, when running npm audit in a project, it checks both the dependencies and the devDependencies. I am looking for a way to only check the dependencies. Is there currently a way to do so?
Asked
Active
Viewed 1.8k times
44
Marcel
- 15,039
- 20
- 92
- 150
user857990
- 1,140
- 3
- 14
- 29
-
1I couldn't find anything for now, but, apparently, there is a PR submitted about it - https://github.com/npm/npm/pull/20594 – UchihaItachi May 15 '18 at 14:29
-
Awesome, so it is jut a matter of time. Thanks! – user857990 May 16 '18 at 07:07
2 Answers
63
Support for --production flag was released in npm 6.10.0
https://github.com/npm/cli/pull/202
npm audit --production
The --omit flag was added in npm 7.x and is now preferred.
https://docs.npmjs.com/cli/v8/commands/npm-audit/#omit
npm audit --omit=dev
Joe Bowbeer
- 3,574
- 3
- 36
- 47
-
1`--production` seems deprecated and you should use `--omit=dev` instead. See my [answer](https://stackoverflow.com/a/72841297/14146969) below for more information. – Scott G Jul 02 '22 at 17:53
4
You should use --omit=dev rather than --production according to warnings on more recent npm versions:
$ npm audit --production
npm WARN config production Use `--omit=dev` instead.
It seems to be deprecated as of npm v8.7.0. I wasn't able to confirm, but this PR seems the most relevant from my research: https://github.com/npm/cli/pull/4744
Looking into the PR's description, it's possible you should be specifying --omit peer as well.
Scott G
- 637
- 6
- 10
-
1Looks like, according to [the docs](https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities#running-a-security-audit-with-npm-audit), "*`npm audit` checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies, but does not check peerDependencies.*", which means that `--omit=peer` should have no effect here, and as such shouldn't be necessary. – zcoop98 Aug 25 '23 at 22:29