Feature Request: Add option to run npm audit fix in bootstrap command
See original GitHub issueExpected Behavior
Right now, I’ve tried to make lerna bootstrap run npm audit fix
for the monorepo packages with no luck. I’d like to run lerna bootstrap to fix any sec vulnerabilities for the packages in the monorepo
Current Behavior
Doesn’t provide npm audit fix
support as lerna only is concerning flags passed, not commands.
Possible Solution
N/A
Steps to Reproduce (for bugs)
- Clone webpack-cli
- Run lerna bootstrap
- Try to run it with the
--
override
Context
Improving project-wide security without having to navigate to each package and manually running npm audit fix
Your Environment
Executable | Version |
---|---|
lerna --version |
3.14.1 |
npm --version |
6.9 |
node --version |
11.4 |
OS | Version |
---|---|
macOS Mojave | 10.14.5 |
Issue Analytics
- State:
- Created 4 years ago
- Reactions:14
- Comments:7
Top Results From Across the Web
Fix vulnerabilities in NPM manually - Stack Overflow
The simple solution, not recommended for production, is to just manually try to run npm install for both the vulnerabilities and peer ...
Read more >Don't be alarmed by vulnerabilities after running NPM Install
The NPM audit command is checking all dependencies, including those someone else has setup. Let's take a look at two of these. You...
Read more >Changelog - npm Docs
Documentation for the npm registry, website, and command-line interface.
Read more >10 npm Security Best Practices - Snyk
Whether you're making use of API keys, passwords or other secrets, they can very easily end up leaking into source control or even...
Read more >How to troubleshoot NPM problems - JFrog
The libcurl terminal application can run basic REST API commands such as GET or PUT options. Your Artifactory request logs will display the...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@mchelen NPM doesn’t like that approach and throws
ELOCKVERIFY
in many of my packages complaining about “Errors were found in your package-lock.json, run npm install to fix them” and then listing symlinked packages. As such it doesn’t complete the audit actions.Also related: https://github.com/lerna/lerna/issues/1663
This feature should be very high priority security wise!