Silence audit and funding messages from npm#550
Merged
jeffwidman merged 1 commit intomainfrom Sep 4, 2024
Merged
Conversation
While reviewing some logs, I noticed the following: ```shell added 1 package, changed 30 packages, and audited 382 packages in 6s 58 packages are looking for funding run `npm fund` for details found 0 vulnerabilities ``` While I'm not against security, nor supporting OSS maintainers (I co-maintain 10+ projects myself!), I am against noisy logs that add no value. So let's silence these: 1. When they appear in CI, they add no value. 1. We've got our own security tools for vulnerable deps, which we rely on instead of `npm audit` results. 1. When I'm skimming logs looking for debug information, these just get in my way. 1. There may be a speed boost if the audit/fix metadata requires an additional API call, and silencing actually skips that rather than merely silencing it. There's multiple ways to silence these: https://benjamincrozat.com/disable-packages-are-looking-for-funding Originally I tackled this by adding `--no-audit --no-fund` flags, but there's a lot of different entrypoints and workflows that call `npm ci` or `npm install`. Even if I do manage to get them all, there's always a risk someone will come along later and add another entrypoint. So that's why I went the `.npmrc` route. After this change, the logs are much better: ```shell added 1 package, changed 30 packages, and audited 382 packages in 6s ```
Member
Author
landongrindheim
approved these changes
Sep 4, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
While reviewing some logs, I noticed the following:
While I'm not against security, nor supporting OSS maintainers (I co-maintain 10+ projects myself!), I am against noisy logs that add no value.
So let's silence these:
npm auditresults.There's multiple ways to silence these: https://benjamincrozat.com/disable-packages-are-looking-for-funding
Originally I tackled this by adding
--no-audit --no-fundflags, but there's a lot of different entrypoints and workflows that callnpm ciornpm install. Even if I do manage to get them all, there's always a risk someone will come along later and add another entrypoint. So that's why I went the.npmrcroute.After this change, the logs are much better:
added 1 package, changed 30 packages, and audited 382 packages in 6s