Consider removing dev dependencies before publishing a package.
springcomp opened this issue · 7 comments
Please, consider removing dev dependencies when publishing a package.
This will help reduce the vulnerabilities reported when installing a package to only those that can actually have an impact on our users.
I read that this was indeed the case but was never able to actually make it work.
Here is my repro case:
mkdir p
cd p/
npm init --yes
npm install yeoman-generator@5
added 318 packages, and audited 319 packages in 9s
40 packages are looking for funding
runnpm fund
for detailsfound 0 vulnerabilities
npm install generator-license
added 582 packages, and audited 901 packages in 20s
75 packages are looking for funding
runnpm fund
for details11 vulnerabilities (3 moderate, 3 high, 5 critical)
To address all issues, run:
npm audit fixRun
npm audit
for details.
This does not happen after applying my suggested PR.
Can you point me what I’m doing wrong ?
This is standard behaviour of npm. Use the --production
flag when installing to exclude the dev dependencies.
This is standard behaviour of npm. Use the
--production
flag when installing to exclude the dev dependencies.
This also happens, unfortunately, when using --production
or --omit=dev
flags.
I think the correct way is to update the vulnerable dependencies and not to hide the fact that particular package was built or is using old packages.
Please try v5.6.0 package.
Please try v5.6.0 package.
Thank you that works.