fix(ls): make `--omit` filter `npm ls` #4744

lukekarrys · 2022-04-13T17:41:56Z

This makes npm ls use the same logic as other commands (eg outdated)
when parsing config items that filter the output based on package type.

Previously --development and --production has special semantics when
used with npm ls that were inconsistent with the rest of the CLI. To
achieve the same behavior as these deprecated flags use:

in place of --development use --omit peer --omit prod --omit optional
in place of --production use --omit dev --omit peer

Fixes #4739

npm-robot · 2022-04-13T18:12:30Z

no statistically significant performance changes detected

timing results

app-large	clean	lock-only	cache-only	cache-only peer-deps	modules-only	no-lock	no-cache	no-modules	no-clean	no-clean audit
npm@8	52.029 ±1.41	31.312 ±0.00	29.239 ±15.63	20.736 ±0.69	3.153 ±0.02	3.191 ±0.02	2.566 ±0.07	11.931 ±0.02	2.541 ±0.03	3.608 ±0.06
#4744	54.743 ±6.74	31.078 ±0.18	26.373 ±8.14	21.012 ±0.52	3.317 ±0.05	3.273 ±0.02	2.579 ±0.01	12.083 ±0.09	2.556 ±0.00	3.745 ±0.18

app-medium	clean	lock-only	cache-only	cache-only peer-deps	modules-only	no-lock	no-cache	no-modules	no-clean	no-clean audit
npm@8	37.822 ±2.00	24.243 ±0.09	13.717 ±0.01	14.657 ±0.03	2.887 ±0.02	2.915 ±0.00	2.548 ±0.04	8.974 ±0.04	2.443 ±0.02	3.329 ±0.06
#4744	38.775 ±1.50	24.405 ±0.04	13.924 ±0.05	14.743 ±0.16	2.923 ±0.02	2.957 ±0.02	2.552 ±0.03	8.949 ±0.08	2.414 ±0.02	3.297 ±0.04

This makes `npm ls` use the same logic as other commands (eg `outdated`) when parsing config items that filter the output based on package type. Previously `--development` and `--production` has special semantics when used with `npm ls` that were inconsistent with the rest of the CLI. To achieve the same behavior as these deprecated flags use: - in place of `--development` use `--omit peer --omit prod --omit optional` - in place of `--production` use `--omit dev --omit peer` Fixes #4739

tap snapshots don't fail if there are extra snapshots that aren't evaluated during the course of a test. There were tests removed in #4744 that didn't get removed from snapshots. This removes those snapshots

The "Dist" step in the release process in Jenkinsfile was failing with npm ERR! code ELSPROBLEMS npm ERR! missing: @babel/cli@^7.8.4, required by elastic-apm-node@3.37.0 ... ditto for every *dev* dependency ... The part that was actually failing was 'npm ls --omit=dev --all --parseable' in "gen-notice.sh" when run in a dist try that only has the non-dev deps installed. The issue was a too-old npm: node 16.15.0 includes npm 8.5.5, but we require npm v8.7.0 to get support for 'npm ls --omit=dev ...' (npm/cli#4744).

Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.

Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.

This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.

This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744. This commit also removes exiting with output of `npm audit` command to fix exiting with textual output, leading to failures.

lukekarrys requested a review from a team as a code owner April 13, 2022 17:41

lukekarrys force-pushed the lk/omit-ls branch 2 times, most recently from 85433d1 to cc32a51 Compare April 13, 2022 17:53

wraithgar approved these changes Apr 13, 2022

View reviewed changes

lukekarrys force-pushed the lk/omit-ls branch 2 times, most recently from 9b3dac9 to 4ff2050 Compare April 13, 2022 21:45

lukekarrys added 2 commits April 13, 2022 14:46

chore: remove deprecated configs from Makefile

6dfbc46

lukekarrys force-pushed the lk/omit-ls branch from 4ff2050 to 6dfbc46 Compare April 13, 2022 21:47

fritzy merged commit 45869f4 into latest Apr 13, 2022

fritzy deleted the lk/omit-ls branch April 13, 2022 22:02

lukekarrys mentioned this pull request Apr 14, 2022

Release/v8.7.0 #4748

Merged

npm-robot mentioned this pull request Apr 14, 2022

deps: upgrade npm to 8.7.0 nodejs/node#42744

Closed

wraithgar mentioned this pull request Apr 19, 2022

fix: consolidate registryConfig application logic #4775

Merged

wraithgar mentioned this pull request Apr 19, 2022

chore: ls test snapshots #4776

Merged

trentm mentioned this pull request Jul 18, 2022

fix: "Dist" step failed in Jenkins with ELSPROBLEMS elastic/apm-agent-nodejs#2831

Merged

jkowalleck mentioned this pull request Oct 26, 2022

"--omit dev" created a lot of "DummyComponent.InterferedDependency..." entries in the BOM CycloneDX/cyclonedx-node-npm#254

Closed

Omrisnyk mentioned this pull request Sep 5, 2024

[Snyk] Security upgrade npm from 5.6.0 to 8.7.0 Omrisnyk/hibernate-demos#94

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(ls): make `--omit` filter `npm ls` #4744

fix(ls): make `--omit` filter `npm ls` #4744

lukekarrys commented Apr 13, 2022 •

edited

Loading

npm-robot commented Apr 13, 2022 •

edited

Loading

fix(ls): make --omit filter npm ls #4744

fix(ls): make --omit filter npm ls #4744

Conversation

lukekarrys commented Apr 13, 2022 • edited Loading

npm-robot commented Apr 13, 2022 • edited Loading

fix(ls): make `--omit` filter `npm ls` #4744

fix(ls): make `--omit` filter `npm ls` #4744

lukekarrys commented Apr 13, 2022 •

edited

Loading

npm-robot commented Apr 13, 2022 •

edited

Loading