npm audit --only=prod is not ignoring dev dependency vulnerabilities

[mportela]

In our huskyCI/api/config.yaml file the npm audit try to only analyse the prod dependency using the command:

npm audit --only=prod --json > /tmp/results.json 2> /tmp/errorNpmaudit

but this command stay reporting vulnerability from dev dependencies 😭 ...

reference: npm/cli#125

to solve this issue while they don`t have this fixed we could use an intermediate help script that parse the audit json result and generate a final result without the dev dependencies...

npm audit --json >> /tmp/audit_report.json
npm run audit:process

like this:
https://medium.com/@linzhao/npm-audit-with-travis-ci-d7acc3e2195a

** to reproduce the npm audit problem ignoring the only=prod :

mkdir test_audit
cd test_audit
npm init
npm i -D gulp@3.9.1
npm audit --only=prod

this will print dev dependencies vulnerabilities...

[rafaveira3]

Hello, @mportela! That's great! Thanks for the feedback. We will work on this one soon!

[Krlier]

This issue has been already covered and we have some documentation on how it can be fixed.

For any doubts, feel free to drop us a line and reopen this issue.