Reputation: 9100
Difference between `npm install` and `npm audit` counts?
After the recent addition of npm audit (for auditing dependencies) I noticed a huge discrepancy between how many packages are added (installed in node_modules) and how many are audited by npm. Here's an example:
Here are my questions:
- Am I correct that
281is the total number of packages installed? - Why is
npmauditing so many more packages than the ones in my project?
It makes sense to me that npm might have to go back out and audit other package versions if it finds a vulnerability, but in this case it found 0 vulnerabilities so why the additional work?
UPDATE:
I think there's a little confusion about top-level vs sub dependencies. Run the following commands to reproduce a similar discrepancy:
mkdir test-npm-count-discrepancy
cd test-npm-count-discrepancy
npm init
npm i standard-version
Notice that (at the time of writing this) 200+ dependencies are added (i.e. standard-version and all its sub dependencies) but 1000+ packages are audited. Just to re-iterate, the main question from above is "why is npm auditing more packages than what's actually installed?".
Upvotes: 6
Views: 1739
Answers (1)
Reputation:
For the first question: - the community, without a link to something like a dependency list or your package.json, wouldn't really be able to say so. However, if in your package file only has a few, then it still is normal most of the time. You may have installed 12 yourself, but NPM auto-installs most, if not all, dependencies for your app's dependencies for you. It helps things speed up your workflow.
For the second question: - as mentioned in my response to the first question, it is auditing both the ones you installed and the ones that were installed automatically so that the ones you installed work properly.
For the third question: - It always checks for vulnerabilities marked by developers so you can have the latest version which is, most of the time, the least buggy, the most functional, and most secure.
Edit:
The whole point of npm install is to update current dependencies and install new ones to the directory. The point of npm audit is to check for dependencies that have updates marked to fix security issues.
Edit 2: I think I've got it: it could be auditing the installed dependencies for production, your dependencies, and the dev-dependencies to warn you that one of your dependencies was built insecurely by the developer.
Upvotes: 1
Related Questions
- What is the difference betweene 'npm i' and 'npm install'?
- npm audit return 400 Bad Request
- npm audit fix vs npm install
- How npm audit works?
- npm audit versus yarn audit
- Difference between npm audit fix --force and - npm audit fix?
- npm install vulnaribilities are different for different projects
- Trying to make sense of npm audit results
- NPM Audit fixes
- Node NPM - install versus install -g