Skip to content

Commit

Permalink
Silence audit and funding messages from npm (#550)
Browse files Browse the repository at this point in the history
While reviewing some logs, I noticed the following:
```shell
added 1 package, changed 30 packages, and audited 382 packages in 6s

58 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
```

While I'm not against security, nor supporting OSS maintainers (I
co-maintain 10+ projects myself!), I am against noisy logs that add no
value.

So let's silence these:

1. When they appear in CI, they add no value.
1. We've got our own security tools for vulnerable deps, which we rely
   on instead of `npm audit` results.
1. When I'm skimming logs looking for debug information, these just get
   in my way.
1. There may be a speed boost if the audit/fix metadata requires an additional API call, 
   and silencing actually skips that rather than merely silencing it.

There's multiple ways to silence these: https://benjamincrozat.com/disable-packages-are-looking-for-funding

Originally I tackled this by adding `--no-audit --no-fund` flags, but
there's a lot of different entrypoints and workflows that call `npm ci`
or `npm install`. Even if I do manage to get them all, there's always a
risk someone will come along later and add another entrypoint. So that's
why I went the `.npmrc` route.

After this change, the logs are much better:
```shell
added 1 package, changed 30 packages, and audited 382 packages in 6s
```
  • Loading branch information
jeffwidman authored Sep 4, 2024
1 parent 67945c0 commit efb8718
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .npmrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
audit=false
fund=false

0 comments on commit efb8718

Please sign in to comment.