From efb8718212b9b67ae628ffc209cccb93af694cd7 Mon Sep 17 00:00:00 2001 From: Jeff Widman Date: Wed, 4 Sep 2024 10:46:08 -0700 Subject: [PATCH] Silence audit and funding messages from `npm` (#550) While reviewing some logs, I noticed the following: ```shell added 1 package, changed 30 packages, and audited 382 packages in 6s 58 packages are looking for funding run `npm fund` for details found 0 vulnerabilities ``` While I'm not against security, nor supporting OSS maintainers (I co-maintain 10+ projects myself!), I am against noisy logs that add no value. So let's silence these: 1. When they appear in CI, they add no value. 1. We've got our own security tools for vulnerable deps, which we rely on instead of `npm audit` results. 1. When I'm skimming logs looking for debug information, these just get in my way. 1. There may be a speed boost if the audit/fix metadata requires an additional API call, and silencing actually skips that rather than merely silencing it. There's multiple ways to silence these: https://benjamincrozat.com/disable-packages-are-looking-for-funding Originally I tackled this by adding `--no-audit --no-fund` flags, but there's a lot of different entrypoints and workflows that call `npm ci` or `npm install`. Even if I do manage to get them all, there's always a risk someone will come along later and add another entrypoint. So that's why I went the `.npmrc` route. After this change, the logs are much better: ```shell added 1 package, changed 30 packages, and audited 382 packages in 6s ``` --- .npmrc | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .npmrc diff --git a/.npmrc b/.npmrc new file mode 100644 index 00000000..09b35cdd --- /dev/null +++ b/.npmrc @@ -0,0 +1,2 @@ +audit=false +fund=false