-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm ci runs npm audit #2703
Comments
Why shouldn’t it run it by default? The packages you use won’t have changed, but they might be newly known to be vulnerable. |
@ljharb it is my undertsanding that
Essentially, only performed the installation step, no audit was performed. VS the regular
All I'm asking is if this is expected behaviour? |
I don't believe the presence of audit warnings can fail an install. |
You're correct @ljharb, sorry for the confusion 👍 I guess this wouldn't make this change a breaking one, so |
I'll leave it to npm staff to answer that - i'm not sure if it's an intentional change or not, and thus whether the docs need improving or not. However, it seems useful to me for |
@JGAntunes sorry for the confusion. We're going to update our docs to be more clear here. The current implementation is working as expected in v7. |
Hi @darcyclarke I'd like to work on updating the docs if it's still possible |
docs updates shipped with |
Apologies beforehand if this has been described or reported somewhere already. I've looked through the issues as well as through both of the release posts - https://blog.npmjs.org/post/626173315965468672/npm-v7-series-beta-release-and-semver-major & https://github.blog/2020-10-13-presenting-v7-0-0-of-the-npm-cli/ - but found no reference to this.
Current Behavior:
Using:
On a JS project with a
package.json
andpackage-lock.json
(been using the following as an example).Running
npm ci
returns the following:Running
npm ci --audit false
returns the following:Expected Behavior:
It is my understanding that
npm ci
should not runnpm audit
by default. Runningnpm ci
should render the example above that is presented by runningnpm ci --audit false
.Steps To Reproduce:
npm ci
Environment:
The text was updated successfully, but these errors were encountered: