Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] npm ls outputs the complete dependency tree, including subtrees under extraneous modules #576

Closed
yalinhuang opened this issue Dec 9, 2019 · 2 comments

Comments

@yalinhuang
Copy link

What / Why

npm ls is helpful in discovering installed modules, the usage of which can extend to many best practices regarding software packaging hygiene. One example is to detect if users install adhoc modules without going through proper tooling. This can be done by detecting extraneous annotation on npm ls output.

However, current npm ls truncates the dependencies from extraneous modules -- https://github.com/npm/cli/blob/latest/lib/ls.js#L82 introduced by npm/npm#6064. That is, we would miss the transitive dependencies from adhoc installation. This can lead to false positive on security scan, increasing unknown risks.

I would like to propose revealing all these details under a flag, say --include-extraneous-dep.

Where

  • npm ls

How

By feature flag

Current Behavior

npm ls truncates the dependencies from extraneous modules.

Expected Behavior

npm ls --include-extraneous-dep outputs the complete dependency tree.

@duansheli
Copy link

想看下当前项目的依赖树
于是 npm ls --depth=1

我的天。。。 一堆的错误

npm ERR! extraneous: @babel/core@7.7.7  xxx
...
...
npm ERR! extraneous: @babel/core@7.7.7  xxx

网上查了下
试了下 npm prune 没效果
想到这应该是个日志吧
npm ls --depth=1 --loglevel slient
还是去不掉

@darcyclarke
Copy link
Contributor

Closing as, this should not be the case in npm v7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants