Today npm audit
has a limited set of options to filter the packages that are included or excluded from it's scope. There has also been very public, legitimate critcism about the signal to noise ratio of npm audit
's ouput. Unfortunately, this has lead many developers to turn off npm audit
checks completely during installation (ex. --no-audit
) or switching to alternative package managers who do not run audits by default.
The current configuration options are based on Arborist
's underlying support for, & limited to, package types (ie. --omit
& --include
can be used today to filter by only prod
, dev
, optional
& peer
dependency types today). Expanding npm audit
's filter capabilities & leveraging the new, rebust Dependency Selector Syntax - at the command-line/project-level - will help end-users define complex groups of dependencies to be included.
Add support for a new --query
flag to npm audit
which takes a Dependency Selector as it's value.
When the --query
flag is defined it will set --omit
& --include
values to empty & configure Arborist
to run the tree.querySelectorAll("<query-selector-string-value>")
.
Audit Resolutions is one of the oldest RFC's still open which has a similar scope/goal. In that RFC a ADVISORY_NUMBER|DEPENDENCY_PATH
value is referenced as the ideal value to apply "resolutions". In this alternative, a Dependency Selector will be used which, today, already supports paths/ancestory via the direct decendant/child combinator (>
). Advisory metadata & pseudo selector support (ex. :cve()
, :cwe()
& :vulnerable
) was defined in the original Dependency Selector Syntax RFC & is queued up to be worked on by the npm CLI team.