[BUG] npm ci runs npm audit

[JGAntunes]

Apologies beforehand if this has been described or reported somewhere already. I've looked through the issues as well as through both of the release posts - https://blog.npmjs.org/post/626173315965468672/npm-v7-series-beta-release-and-semver-major & https://github.blog/2020-10-13-presenting-v7-0-0-of-the-npm-cli/ - but found no reference to this.

Current Behavior:

Using:

$ npm --version
7.5.4

On a JS project with a package.json and package-lock.json (been using the following as an example).
Running npm ci returns the following:

$ npm ci
(...)
added 2547 packages, and audited 2548 packages in 24s

206 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Running npm ci --audit false returns the following:

$ npm ci --audit false
(...)
added 2547 packages in 20s

206 packages are looking for funding
  run `npm fund` for details

Expected Behavior:

It is my understanding that npm ci should not run npm audit by default. Running npm ci should render the example above that is presented by running npm ci --audit false.

Steps To Reproduce:

1. In this project
2. Run npm ci
3. See the audit related output

Environment:

• OS: Mac OS X 10.15.7
• Node: v15.8.0
• npm: 7.5.4

[ljharb]

Why shouldn’t it run it by default? The packages you use won’t have changed, but they might be newly known to be vulnerable.

[JGAntunes]

@ljharb it is my undertsanding that npm ci by default did not run npm audit in previous npm versions. E.g. executing npm ci on the same repo using version 6.14.9 renders:

added 2546 packages in 23.911s

Essentially, only performed the installation step, no audit was performed.

VS the regular npm install:

added 2546 packages from 1427 contributors and audited 2547 packages in 36.141s

206 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

All I'm asking is if this is expected behaviour? In which case it feels to me like this is a breaking change for npm ci behaviour coming from v6 and it's probably worth mentioning it somewhere (as I'm assuming installs will break if vulnerabilities are found?)? EDIT: nvm me 👀

[ljharb]

I don't believe the presence of audit warnings can fail an install.

[JGAntunes]

You're correct @ljharb, sorry for the confusion 👍 I guess this wouldn't make this change a breaking one, so bug no longer applies. However given npm ci's lack of documentation for the audit/no-audit flags I'm still wondering if this is inteded behaviour or not? I wouldn't mind dropping the bug tag and just leave this question out in the open, unfortunately seems like I'm unable to do so. Unless this isn't the proper medium to reach out about that, if so, happy to close this and reach out in some other way?

[ljharb]

I'll leave it to npm staff to answer that - i'm not sure if it's an intentional change or not, and thus whether the docs need improving or not. However, it seems useful to me for npm ci to run audit just like install would ¯\_(ツ)_/¯

[darcyclarke]

@JGAntunes sorry for the confusion. We're going to update our docs to be more clear here. The current implementation is working as expected in v7.