`npm install` 和 `npm audit` 计数之间的区别? [英] Difference between `npm install` and `npm audit` counts?

问题描述

最近添加了 npm audit(用于审核依赖项)后，我注意到 added(安装在 node_modules 中)的包数量之间存在巨大差异>) 以及npm 对审计 的数量.举个例子:

After the recent addition of npm audit (for auditing dependencies) I noticed a huge discrepancy between how many packages are added (installed in node_modules) and how many are audited by npm. Here's an example:

这是我的问题:

• 281 是安装的软件包总数，我是否正确?
• 为什么 npm 审核的包比我项目中的包多这么多?

• Am I correct that 281 is the total number of packages installed?
• Why is npm auditing so many more packages than the ones in my project?

对我来说，如果 npm 发现漏洞，它可能不得不返回并审计 其他包版本，但在这种情况下它发现0 个漏洞 那么为什么要额外工作?

It makes sense to me that npm might have to go back out and audit other package versions if it finds a vulnerability, but in this case it found 0 vulnerabilities so why the additional work?

更新:

我认为对于顶级与子依赖项存在一些混淆.运行以下命令以重现类似的差异:

I think there's a little confusion about top-level vs sub dependencies. Run the following commands to reproduce a similar discrepancy:

mkdir test-npm-count-discrepancy
cd test-npm-count-discrepancy
npm init
npm i standard-version

请注意(在撰写本文时)200+ 个依赖项是 added(即 standard-version 及其所有子依赖项)但是1000+ 个包被审计.重申一遍，上面的主要问题是为什么 npm 审核的包比实际安装的包多?".

Notice that (at the time of writing this) 200+ dependencies are added (i.e. standard-version and all its sub dependencies) but 1000+ packages are audited. Just to re-iterate, the main question from above is "why is npm auditing more packages than what's actually installed?".

推荐答案

对于第一个问题:- 社区，如果没有指向依赖项列表或 package.json 之类的链接，就真的无法这么说.但是，如果您的包文件中只有几个，那么大多数时候它仍然是正常的.您可能自己安装了 12 个，但 NPM 会为您自动安装应用程序依赖项的大部分(如果不是全部)依赖项.它有助于加快您的工作流程.

For the first question: - the community, without a link to something like a dependency list or your package.json, wouldn't really be able to say so. However, if in your package file only has a few, then it still is normal most of the time. You may have installed 12 yourself, but NPM auto-installs most, if not all, dependencies for your app's dependencies for you. It helps things speed up your workflow.

对于第二个问题:- 正如我在对第一个问题的回答中提到的，它正在审核您安装的和自动安装的那些，以便您安装的那些正常工作.

For the second question: - as mentioned in my response to the first question, it is auditing both the ones you installed and the ones that were installed automatically so that the ones you installed work properly.

对于第三个问题:- 它始终检查开发人员标记的漏洞，因此您可以获得最新版本，该版本在大多数情况下是错误最少、功能最多且最安全的版本.

For the third question: - It always checks for vulnerabilities marked by developers so you can have the latest version which is, most of the time, the least buggy, the most functional, and most secure.

npm install 的重点是更新当前的依赖项并将新的依赖项安装到目录中.npm audit 的重点是检查具有更新标记以修复安全问题的依赖项.

The whole point of npm install is to update current dependencies and install new ones to the directory. The point of npm audit is to check for dependencies that have updates marked to fix security issues.

我想我已经明白了:它可以审核已安装的生产依赖项、您的依赖项和开发依赖项，以警告您您的一个依赖项是由开发人员不安全地构建的.

Edit 2: I think I've got it: it could be auditing the installed dependencies for production, your dependencies, and the dev-dependencies to warn you that one of your dependencies was built insecurely by the developer.

这篇关于`npm install` 和 `npm audit` 计数之间的区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！