5

I'm looking to change the default behavior of npm audit.

The default behavior is to audit all packages, including developer-only packages. This is not very useful, as I trust my development environment and care more about production level security. This is not to say I'm ignoring the development vulnerabilities entirely, as I still have been looking them over, but rather would like to put my focus on what's more important--production.

npm audit has had the --production flag for the audit command since version 6. How can I make this flag default to true when running npm audit? I'd like to specify --production (or --omit=dev) for NPM install in my package.json. Is this possible?

(Also, any discussion about the ramifications of this action or to clarify any misconceptions you think I might have would be welcome too, as I can't object to learning more.)

Salvatore
  • 10,815
  • 4
  • 31
  • 69
robinspi
  • 93
  • 7

2 Answers2

3

You can do it by setting an environment variable from within package.json. This works for both npm audit and install.

The environment variable you want to set it NODE_ENV:

omit will default to dev if you set the NODE_ENV environment variable to 'production'

For example:

...
"scripts": {
  "test": "NODE_ENV=test"
},
...
Salvatore
  • 10,815
  • 4
  • 31
  • 69
1

Another way to do this is to use the bash aliases:

NOTE: THIS METHOD ONLY WORKS WITH BASH, ZSH, AND MAYBE KSH(I don't have ksh, so I cannot test it.)

alias paudit='npm audit --production'

And if for some reason you don't want this anymore, you can use the following code to remove the environment variable:

unalias paudit

To use the env var, simply type the alias name:

paudit

This is the same as typing npm audit --production

If you try this now, it will work. However, when you close the terminal and reopen it, the env var will be erased and thus you have to redefine it again. To make the env var persist after you restart the terminal or even your computer, open up ~/.bash_aliases in a code editor such as vsCode and not text edit or notepad(If this file does not exist, create it). Then, type

alias paudit='npm audit --production'

Now, you are set: when you type paudit, it is going to audit only the production packages, and it will work for anywhere you you want without the hassle to set it every time you have a new project.