I'm trying to make sure my project doesn't have vulnerabilities in production, so I ran:
npm audit > vulnerabilities.txt
and then I searched for all instances of "Dependency of"
which brings up a list like:
Line 199: Dependency of babel-preset-es2015 [dev]
Line 215: Dependency of babel-preset-es2015 [dev]
Line 230: Dependency of babel-preset-es2015 [dev]
Can I assume that if all of them have that [dev] tag, then npm audit found no package vulnerabilities in production?
It looks like the answer is yes.
To validate this, I ran
npm audix fix --production
And then running
npm audit
produced a list where every dependency was a "Dependency Of" something marked as [dev].
If at some point npm supports the --production flag directly on npm audit then that would make it easier.