Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
- Find a package
foo where npm audit fails.
- Run
npm link.
- Go to another project that depends on
foo where npm audit --production (or npm audit --omit=dev) succeeds
- Run
npm link foo
- Run
npm audit --production
- It fails, reporting on foo's vulnerable dev deps.
Expected Behavior
It should ignore dev deps of dependencies whether they're link:ed in or not.
Steps To Reproduce
See "current behavior"
Environment
- npm: 11.16.0, and also 12.0.0-pre.1
- Node.js: 26.3.0
- OS Name: Mac
- System Model Name: MBP
- npm config: n/a
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
foowherenpm auditfails.npm link.foowherenpm audit --production(ornpm audit --omit=dev) succeedsnpm link foonpm audit --productionExpected Behavior
It should ignore dev deps of dependencies whether they're
link:ed in or not.Steps To Reproduce
See "current behavior"
Environment