Difference between `npm install` and `npm audit` counts?
Clash Royale CLAN TAG#URR8PPP
Difference between `npm install` and `npm audit` counts?
After the recent addition of npm audit
(for auditing dependencies) I noticed a huge discrepancy between how many packages are added
(installed in node_modules
) and how many are audited
by npm
. Here's an example:
npm audit
added
node_modules
audited
npm
Here are my questions:
281
npm
It makes sense to me that npm
might have to go back out and audit
other package versions if it finds a vulnerability, but in this case it found 0 vulnerabilities
so why the additional work?
npm
audit
found 0 vulnerabilities
UPDATE:
I think there's a little confusion about top-level vs sub dependencies. Run the following commands to reproduce a similar discrepancy:
mkdir test-npm-count-discrepancy
cd test-npm-count-discrepancy
npm init
npm i standard-version
Notice that (at the time of writing this) 200+
dependencies are added
(i.e. standard-version
and all its sub dependencies) but 1000+
packages are audited
. Just to re-iterate, the main question from above is "why is npm
auditing more packages than what's actually installed?".
200+
added
standard-version
1000+
audited
npm
It is but
281
is the count of top-level + nested packages (I think). There's less than 10 dependencies listed in my actual package.json
.– Skip Jack
8 hours ago
281
package.json
considering 281 is the number of local modules you have if you do
npm ls --depth=0
and doing a npm ls
will show you the list of nested modules that got auto installed along with those modules.– Raktim Biswas
8 hours ago
npm ls --depth=0
npm ls
@RaktimBiswas no
npm ls --depth=0
will only list my 8 explicitly installed packages. npm ls
lists exactly 281 if you account for deduped
lines. I'm 99% sure the answer to my first question is yes, 281
is the total number (top-level and nested). There is definitely a discrepancy what audit
looks at and what's installed locally.– Skip Jack
1 hour ago
npm ls --depth=0
npm ls
deduped
281
audit
1 Answer
1
For the first question:
- the community, without a link to something like a dependency list or your package.json, wouldn't really be able to say so. However, if in your package file only has a few, then it still is normal most of the time. You may have installed 12 yourself, but NPM auto-installs most, if not all, dependencies for your app's dependencies for you. It helps things speed up your workflow.
For the second question:
- as mentioned in my response to the first question, it is auditing both the ones you installed and the ones that were installed automatically so that the ones you installed work properly.
For the third question:
- It always checks for vulnerabilities marked by developers so you can have the latest version which is, most of the time, the least buggy, the most functional, and most secure.
Edit:
The whole point of npm install
is to update current dependencies and install new ones to the directory. The point of npm audit
is to check for dependencies that have updates marked to fix security issues.
npm install
npm audit
I appreciate the answer but please see the comments above. It's definitely not a nested vs top-level dependency issue. I understand you're request for an example though and while I can't share the repo from the screenshot, I can share some minimal
npm
commands to reproduce the discrepancy.– Skip Jack
50 mins ago
npm
@SkipJack, Yeah I know what you mean with not being able to share the package file. However, the audit should be looking at everything from what you installed via the package and what was installed with those dependencies so that they work and so on and so forth. But the whole point of "npm install" is to update current dependencies and install new ones to the directory. The point of "npm audit" is to check for dependencies that have updates marked to fix security issues.
– doamatto
3 mins ago
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Isn't npm checking nested packages?
– Zooly
9 hours ago