node.jsnpmnpm-workspaces

How to use npm audit with NPM workspaces?


For a project using the AWS CDK we are moving from lerna to NPM workspaces. Everything seems fine so far, except for running npm audit in the project root, which doesn't seem to take the workspace into account.

We are using the following folder structure:

.
|-package.json
|-package-lock.json
|-ts-config.json
|-lib
 |-index.ts
 |-lambdas
  |-workspace-a
   |-index.ts
   |-package.json

When adding a dependency with vulnerabilities to the project root's package.json, npm audit greets us with the report of those as usual. When installing the same dependency in the workspace-a package.json, it ends up in the project's root package-lock.json section for the workspace, as expected, but goes unnoticed by npm audit and reports 0 vulnerabilities.

So far I have tried several ways of running npm audit; by adding --workspaces=true, --workspace lib/lambdas/workspace-a and --package-lock-only, but neither seem to work.

Is there something I'm failing to see to get npm audit to work for workspace-a?


Solution

  • After some testing with sample projects on the same and different machines, the solution seems to lie in the registry set in the .npmrc. When commenting out the enterprise npm repository, the audits get picked up again.

    Alternatively, running npm audit --registry=https://registry.npmjs.org will work without changing the global config.

    This only seems to be needed for audits on workspaces and nested dependencies, as the top-level dependencies on the root package level will be audited just fine either way.