Reputation: 51
npm update adds "dev:true" in package-lock.json
I'm auditing the packages in my project. I want to address vulnerability for each package separately rather than running npm audit fix. Most of the vulnerabilities are in the dependencies and not in the main package which is installed. For example I have installed package foo, it added dependencies for it in the package-lock.json ie bar:1.1.0 etc. Now the vulnerability is for bar which is fixed in patch version:1.1.1. so to fix it I'm updating the package using npm update bar.
On running the update command the package-lock.json is flooded with version updates for packages some of which are not relevant to bar and changes more than 200 lines in the lock file. Also, the npm update or npm audit fix command adds "dev": true in almost all the package definition which was not present earlier.
Question
Is there any way that npm update not adds the "dev": true in unwanted places or how can I update a single package at a time which will keep my commits clean and easy to track.
I have tried the command npm update foo --omit=dev, but it did not worked.
Upvotes: 1
Views: 791
Answers (0)
Related Questions
- Do I commit the package-lock.json file created by npm 5?
- How to install a previous exact version of a NPM package?
- How can I update each dependency in package.json to the latest version?
- What is the difference between Bower and npm?
- What's the difference between dependencies, devDependencies, and peerDependencies in NPM package.json file?
- What is the --save option for npm install?
- How can I update Node.js and npm to their latest versions?
- Why does "npm install" rewrite package-lock.json?
- npm check and update package if needed
- Find the version of an installed npm package