Difference between `npm install` and `npm audit` counts?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



Difference between `npm install` and `npm audit` counts?



After the recent addition of npm audit (for auditing dependencies) I noticed a huge discrepancy between how many packages are added (installed in node_modules) and how many are audited by npm. Here's an example:


npm audit


added


node_modules


audited


npm



npm install output



Here are my questions:


281


npm



It makes sense to me that npm might have to go back out and audit other package versions if it finds a vulnerability, but in this case it found 0 vulnerabilities so why the additional work?


npm


audit


found 0 vulnerabilities



UPDATE:



I think there's a little confusion about top-level vs sub dependencies. Run the following commands to reproduce a similar discrepancy:


mkdir test-npm-count-discrepancy
cd test-npm-count-discrepancy
npm init
npm i standard-version



Notice that (at the time of writing this) 200+ dependencies are added (i.e. standard-version and all its sub dependencies) but 1000+ packages are audited. Just to re-iterate, the main question from above is "why is npm auditing more packages than what's actually installed?".


200+


added


standard-version


1000+


audited


npm





Isn't npm checking nested packages?
– Zooly
9 hours ago





It is but 281 is the count of top-level + nested packages (I think). There's less than 10 dependencies listed in my actual package.json.
– Skip Jack
8 hours ago



281


package.json





considering 281 is the number of local modules you have if you do npm ls --depth=0 and doing a npm ls will show you the list of nested modules that got auto installed along with those modules.
– Raktim Biswas
8 hours ago


npm ls --depth=0


npm ls





@RaktimBiswas no npm ls --depth=0 will only list my 8 explicitly installed packages. npm ls lists exactly 281 if you account for deduped lines. I'm 99% sure the answer to my first question is yes, 281 is the total number (top-level and nested). There is definitely a discrepancy what audit looks at and what's installed locally.
– Skip Jack
1 hour ago


npm ls --depth=0


npm ls


deduped


281


audit




1 Answer
1



For the first question:
- the community, without a link to something like a dependency list or your package.json, wouldn't really be able to say so. However, if in your package file only has a few, then it still is normal most of the time. You may have installed 12 yourself, but NPM auto-installs most, if not all, dependencies for your app's dependencies for you. It helps things speed up your workflow.



For the second question:
- as mentioned in my response to the first question, it is auditing both the ones you installed and the ones that were installed automatically so that the ones you installed work properly.



For the third question:
- It always checks for vulnerabilities marked by developers so you can have the latest version which is, most of the time, the least buggy, the most functional, and most secure.



Edit:
The whole point of npm install is to update current dependencies and install new ones to the directory. The point of npm audit is to check for dependencies that have updates marked to fix security issues.


npm install


npm audit





I appreciate the answer but please see the comments above. It's definitely not a nested vs top-level dependency issue. I understand you're request for an example though and while I can't share the repo from the screenshot, I can share some minimal npm commands to reproduce the discrepancy.
– Skip Jack
50 mins ago


npm





@SkipJack, Yeah I know what you mean with not being able to share the package file. However, the audit should be looking at everything from what you installed via the package and what was installed with those dependencies so that they work and so on and so forth. But the whole point of "npm install" is to update current dependencies and install new ones to the directory. The point of "npm audit" is to check for dependencies that have updates marked to fix security issues.
– doamatto
3 mins ago






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas
Read more

Dynamically update html content plain JS

Image
Clash Royale CLAN TAG #URR8PPP Dynamically update html content plain JS So I have a script bound in my index.html, which literally has to fetch an array of jsons from an api, then dynamically update my page when get response. But as a result I'm getting an as the only update of my page. here is my script fetch(url) .then((resp) => resp.json()) .then((resp) => resp.results.forEach(item => fetch(item.url) .then((response)=> response.json()) .then((response) => pokeArr.push(response)) .catch(console.log) ) ).catch(console.log) const filler = () => if(!pokeArr) return 0 pokeArr.map((i,j)=> return `<tr>$i.name</tr>` ) const pokeindex = () => document.getElementById('a').appendChild(document.createElement(filler())) pokeindex() When I'm consoling it, I can see in the console all the responses I get, so I'm at least doing the fetching part right. What's parberakan ? What's pokeArr ? – T.J. Crowder Aug 8 at 12
Read more

How to determine optimal route across keyboard

Image
Clash Royale CLAN TAG #URR8PPP How to determine optimal route across keyboard I'm trying to automate the typing process in a video game. Players are given an on-screen QWERTY keyboard layout that they can navigate with the control stick (up, down, left, right) in order to select a letter to type. I was wondering if there was a module for Python (or some other resource I could explore) that would help my program find a path across the keyboard as it types each letter in a given message. In other words, if the first letter typed was "A" and the next letter was "B", the module would know that the program should move 1 space down on the keyboard and 4 spaces to the right. Currently, I have the program resetting to the "G" key after each letter is typed (allowing me to use fixed-directions as the program parses each character in the desired message). As you can imagine, this is quite inefficient and defeats the purpose of automating the typing in the fir
Read more