Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(ls): make --omit filter npm ls #4744

Merged
merged 2 commits into from
Apr 13, 2022
Merged

fix(ls): make --omit filter npm ls #4744

merged 2 commits into from
Apr 13, 2022

Conversation

lukekarrys
Copy link
Contributor

@lukekarrys lukekarrys commented Apr 13, 2022

This makes npm ls use the same logic as other commands (eg outdated)
when parsing config items that filter the output based on package type.

Previously --development and --production has special semantics when
used with npm ls that were inconsistent with the rest of the CLI. To
achieve the same behavior as these deprecated flags use:

  • in place of --development use --omit peer --omit prod --omit optional
  • in place of --production use --omit dev --omit peer

Fixes #4739

@lukekarrys lukekarrys requested a review from a team as a code owner April 13, 2022 17:41
@lukekarrys lukekarrys force-pushed the lk/omit-ls branch 2 times, most recently from 85433d1 to cc32a51 Compare April 13, 2022 17:53
@npm-robot
Copy link
Contributor

npm-robot commented Apr 13, 2022

no statistically significant performance changes detected

timing results
app-large clean lock-only cache-only cache-only
peer-deps
modules-only no-lock no-cache no-modules no-clean no-clean
audit
npm@8 52.029 ±1.41 31.312 ±0.00 29.239 ±15.63 20.736 ±0.69 3.153 ±0.02 3.191 ±0.02 2.566 ±0.07 11.931 ±0.02 2.541 ±0.03 3.608 ±0.06
#4744 54.743 ±6.74 31.078 ±0.18 26.373 ±8.14 21.012 ±0.52 3.317 ±0.05 3.273 ±0.02 2.579 ±0.01 12.083 ±0.09 2.556 ±0.00 3.745 ±0.18
app-medium clean lock-only cache-only cache-only
peer-deps
modules-only no-lock no-cache no-modules no-clean no-clean
audit
npm@8 37.822 ±2.00 24.243 ±0.09 13.717 ±0.01 14.657 ±0.03 2.887 ±0.02 2.915 ±0.00 2.548 ±0.04 8.974 ±0.04 2.443 ±0.02 3.329 ±0.06
#4744 38.775 ±1.50 24.405 ±0.04 13.924 ±0.05 14.743 ±0.16 2.923 ±0.02 2.957 ±0.02 2.552 ±0.03 8.949 ±0.08 2.414 ±0.02 3.297 ±0.04

@lukekarrys lukekarrys force-pushed the lk/omit-ls branch 2 times, most recently from 9b3dac9 to 4ff2050 Compare April 13, 2022 21:45
This makes `npm ls` use the same logic as other commands (eg `outdated`)
when parsing config items that filter the output based on package type.

Previously `--development` and `--production` has special semantics when
used with `npm ls` that were inconsistent with the rest of the CLI. To
achieve the same behavior as these deprecated flags use:

- in place of `--development` use `--omit peer --omit prod --omit optional`
- in place of `--production` use `--omit dev --omit peer`

Fixes #4739
@fritzy fritzy merged commit 45869f4 into latest Apr 13, 2022
@fritzy fritzy deleted the lk/omit-ls branch April 13, 2022 22:02
@lukekarrys lukekarrys mentioned this pull request Apr 14, 2022
wraithgar added a commit that referenced this pull request Apr 19, 2022
tap snapshots don't fail if there are extra snapshots that aren't
evaluated during the course of a test.  There were tests removed in
#4744 that didn't get removed from
snapshots.

This removes those snapshots
trentm added a commit to elastic/apm-agent-nodejs that referenced this pull request Jul 18, 2022
The "Dist" step in the release process in Jenkinsfile was failing with

    npm ERR! code ELSPROBLEMS
    npm ERR! missing: @babel/cli@^7.8.4, required by elastic-apm-node@3.37.0
    ... ditto for every *dev* dependency ...

The part that was actually failing was 'npm ls --omit=dev --all --parseable'
in "gen-notice.sh" when run in a dist try that only has the non-dev deps
installed.

The issue was a too-old npm: node 16.15.0 includes npm 8.5.5, but we
require npm v8.7.0 to get support for 'npm ls --omit=dev ...'
(npm/cli#4744).
trentm added a commit to elastic/apm-agent-nodejs that referenced this pull request Jul 19, 2022
The "Dist" step in the release process in Jenkinsfile was failing with

    npm ERR! code ELSPROBLEMS
    npm ERR! missing: @babel/cli@^7.8.4, required by elastic-apm-node@3.37.0
    ... ditto for every *dev* dependency ...

The part that was actually failing was 'npm ls --omit=dev --all --parseable'
in "gen-notice.sh" when run in a dist try that only has the non-dev deps
installed.

The issue was a too-old npm: node 16.15.0 includes npm 8.5.5, but we
require npm v8.7.0 to get support for 'npm ls --omit=dev ...'
(npm/cli#4744).
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this pull request Aug 4, 2023
Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this pull request Aug 4, 2023
Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this pull request Aug 8, 2023
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this pull request Aug 8, 2023
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
undergroundwires added a commit to undergroundwires/privacy.sexy that referenced this pull request Aug 8, 2023
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.

This commit also removes exiting with output of `npm audit` command to
fix exiting with textual output, leading to failures.
LarrMarburger added a commit to LarrMarburger/privacy.sexy that referenced this pull request Nov 16, 2023
This commit changes the behavior of auditing to audit only production
dependencies.

Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.

The reasons include:

- Vulnerabilities in developer dependencies cause pipelines to fail
  on every run.
- This is caused by dependencies such that lack resolution from the
  developers. Vue developers consider `npm audit` broken design and do
  not prioritize solutions. Discussions: vuejs/vue-cli#6637,
  vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
  vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
  taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
  of security posture of users.

`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.

This commit also removes exiting with output of `npm audit` command to
fix exiting with textual output, leading to failures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG] npm ls --omit=dev does not omit dev dependencies
4 participants