Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
dev dependencies not being skipped
See original GitHub issueDescribe the bug As a follow up to https://github.com/jeremylong/DependencyCheck/issues/1806 I was testing the cli with --nodeAuditSkipDevDependencies flag enabled. But now my build is getting flagged for a dependency of one my dev dependenies. However, “npm audit --production” does not flag this JQuery dependency. This is on a new/clean Angular project built by the Angular CLI.
Version of dependency-check used The problem occurs using version 5.3.0 of the Command Line Tool
Log file Gist has a limit of 100MB and my log file is 4.68 GB. I can zip it an use something like https://wetransfer.com/ to send it to you. What would you like me to do?
To Reproduce Steps to reproduce the behavior:
- Using package.json below, run npm install
- Run: npm audit --production - Verify no vulnerabilities
- Run: dependency-check --project “Platform Admin” --format XML --format HTML --scan ./ --nodeAuditSkipDevDependencies
- Verify that there are multiple JQuery vulnerabilities found that are part of a dev dependency selenium-webdriver
Expected behavior Zero vulnerabilities from dependency-check when using the flag nodeAuditSkipDevDependencies
Additional context
{ "name": "platform-admin", "version": "0.0.0", "scripts": { "ng": "ng", "start": "ng serve", "build": "ng build", "test": "ng test", "test-headless-with-coverage": "ng test --watch=false --browsers=ChromeHeadless --code-coverage", "lint": "ng lint", "e2e": "ng e2e" }, "private": true, "dependencies": { "@angular/animations": "~8.2.14", "@angular/common": "~8.2.14", "@angular/compiler": "~8.2.14", "@angular/core": "~8.2.14", "@angular/forms": "~8.2.14", "@angular/platform-browser": "~8.2.14", "@angular/platform-browser-dynamic": "~8.2.14", "@angular/router": "~8.2.14", "core-js": "^2.5.4", "rxjs": "~6.5.4", "tslib": "^1.9.0", "zone.js": "~0.9.1" }, "devDependencies": { "@angular-devkit/build-angular": "~0.803.22", "@angular/cli": "~8.3.22", "@angular/compiler-cli": "~8.2.14", "@angular/language-service": "~8.2.14", "@types/node": "~8.9.4", "@types/jasmine": "~2.8.8", "@types/jasminewd2": "~2.0.3", "codelyzer": "^5.0.1", "jasmine-core": "~2.99.1", "jasmine-spec-reporter": "~4.2.1", "karma": "~4.0.0", "karma-chrome-launcher": "~2.2.0", "karma-coverage-istanbul-reporter": "~2.0.1", "karma-jasmine": "~1.1.2", "karma-jasmine-html-reporter": "^0.2.2", "protractor": "~5.4.0", "ts-node": "~7.0.0", "tslint": "~5.11.0", "typescript": "~3.5.3" } }
Issue Analytics
- State:
- Created 4 years ago
- Reactions:4
- Comments:17 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Can the --disableNodeJS and --nodeAuditSkipDevDependencies be specified when running the dependency checker Jenkins plugin?
We observe this with v6.1.6, any thoughts on this? We had to add both --disableNodeJS --nodeAuditSkipDevDependencies for the scan to not pick up dev dependencies.