Skip to content

[BUG] npm audit --production reports linked packages' dev deps #9624

Description

@ljharb

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

This is not just a request to bump a dependency for a CVE

  • This is not solely a request to bump a dependency for a CVE

Current Behavior

  1. Find a package foo where npm audit fails.
  2. Run npm link.
  3. Go to another project that depends on foo where npm audit --production (or npm audit --omit=dev) succeeds
  4. Run npm link foo
  5. Run npm audit --production
  6. It fails, reporting on foo's vulnerable dev deps.

Expected Behavior

It should ignore dev deps of dependencies whether they're link:ed in or not.

Steps To Reproduce

See "current behavior"

Environment

  • npm: 11.16.0, and also 12.0.0-pre.1
  • Node.js: 26.3.0
  • OS Name: Mac
  • System Model Name: MBP
  • npm config: n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingPriority 2secondary priority issue

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions