Difference between `npm install` and `npm audit` counts?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



Difference between `npm install` and `npm audit` counts?



After the recent addition of npm audit (for auditing dependencies) I noticed a huge discrepancy between how many packages are added (installed in node_modules) and how many are audited by npm. Here's an example:


npm audit


added


node_modules


audited


npm



npm install output



Here are my questions:


281


npm



It makes sense to me that npm might have to go back out and audit other package versions if it finds a vulnerability, but in this case it found 0 vulnerabilities so why the additional work?


npm


audit


found 0 vulnerabilities



UPDATE:



I think there's a little confusion about top-level vs sub dependencies. Run the following commands to reproduce a similar discrepancy:


mkdir test-npm-count-discrepancy
cd test-npm-count-discrepancy
npm init
npm i standard-version



Notice that (at the time of writing this) 200+ dependencies are added (i.e. standard-version and all its sub dependencies) but 1000+ packages are audited. Just to re-iterate, the main question from above is "why is npm auditing more packages than what's actually installed?".


200+


added


standard-version


1000+


audited


npm





Isn't npm checking nested packages?
– Zooly
9 hours ago





It is but 281 is the count of top-level + nested packages (I think). There's less than 10 dependencies listed in my actual package.json.
– Skip Jack
8 hours ago



281


package.json





considering 281 is the number of local modules you have if you do npm ls --depth=0 and doing a npm ls will show you the list of nested modules that got auto installed along with those modules.
– Raktim Biswas
8 hours ago


npm ls --depth=0


npm ls





@RaktimBiswas no npm ls --depth=0 will only list my 8 explicitly installed packages. npm ls lists exactly 281 if you account for deduped lines. I'm 99% sure the answer to my first question is yes, 281 is the total number (top-level and nested). There is definitely a discrepancy what audit looks at and what's installed locally.
– Skip Jack
1 hour ago


npm ls --depth=0


npm ls


deduped


281


audit




1 Answer
1



For the first question:
- the community, without a link to something like a dependency list or your package.json, wouldn't really be able to say so. However, if in your package file only has a few, then it still is normal most of the time. You may have installed 12 yourself, but NPM auto-installs most, if not all, dependencies for your app's dependencies for you. It helps things speed up your workflow.



For the second question:
- as mentioned in my response to the first question, it is auditing both the ones you installed and the ones that were installed automatically so that the ones you installed work properly.



For the third question:
- It always checks for vulnerabilities marked by developers so you can have the latest version which is, most of the time, the least buggy, the most functional, and most secure.



Edit:
The whole point of npm install is to update current dependencies and install new ones to the directory. The point of npm audit is to check for dependencies that have updates marked to fix security issues.


npm install


npm audit





I appreciate the answer but please see the comments above. It's definitely not a nested vs top-level dependency issue. I understand you're request for an example though and while I can't share the repo from the screenshot, I can share some minimal npm commands to reproduce the discrepancy.
– Skip Jack
50 mins ago


npm





@SkipJack, Yeah I know what you mean with not being able to share the package file. However, the audit should be looking at everything from what you installed via the package and what was installed with those dependencies so that they work and so on and so forth. But the whole point of "npm install" is to update current dependencies and install new ones to the directory. The point of "npm audit" is to check for dependencies that have updates marked to fix security issues.
– doamatto
3 mins ago






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Popular posts from this blog

Firebase Auth - with Email and Password - Check user already registered

Dynamically update html content plain JS

Creating a leaderboard in HTML/JS