I'm trying to make sure my project doesn't have vulnerabilities in production, so I ran:
npm audit > vulnerabilities.txt
and then I searched for all instances of "Dependency of"
which brings up a list like:
Line 199: Dependency of babel-preset-es2015 [dev]
Line 215: Dependency of babel-preset-es2015 [dev]
Line 230: Dependency of babel-preset-es2015 [dev]
Can I assume that if all of them have that [dev] tag, then npm audit found no package vulnerabilities in production?
It looks like the answer is yes.
To validate this, I ran
npm audix fix --production
And then running
npm audit
produced a list where every dependency was a "Dependency Of" something marked as [dev].
If at some point npm supports the --production flag directly on npm audit then that would make it easier.
In older npm versions you can do below, even in newer versions I've found --production flag very buggy and node still reporting devDependencies, in both cases you can use this instead:
npm prune --production --dry-run
Above will output any vulnerabilities from inside dependencies. You would need to fix any vulnerabilities manually then though.
NOTE: Many projects I have worked with have wrongly had production dependencies inside devDependencies instead of dependencies. This needs to be fixed first of course. (just move the declaration inside package.json and npm i - check exact version inside lock file if needed)
If code from a node_module is used clientside (if it's used can sometimes be tricky to tell) it should be in dependencies (example corejs)
If you have a node backend/hosting then you need to check if it's used in Node BE in production as well.
