dev dependencies are always ignored

[couaky]

Hi,

I think dev dependencies are always ignored whatever the --ignore-dev-dependencies flag is set or not.

Probably due to this part of code which exclude any item which is a child of a dev dependency

https://github.com/InfoSec812/npm-audit-ci-wrapper/blob/82d9cf99a93285ab8b0cbcc19dde2ffa5fccc38c/lib/parser.js#L123

Cheers.

[eL-HaXo]

I've confirmed this issue. I'll put up a PR to fix.

[eL-HaXo]

I'm unable to push up my branch to create a pull request. The issue is here where filteredByDev does not use the ignoreDev argument. Setting filteredByDev to advisorsies if ignoreDev is false fixed the issue.

https://github.com/InfoSec812/npm-audit-ci-wrapper/blob/trunk/lib/parser.js#L116

[InfoSec812]

But it does use the ignoreDev argument 2 lines further down in the return statement.

[eL-HaXo]

That line is unreachable.

[eL-HaXo]

Sorry it's line 130 that's unreachable. If the condition on line 117 is false, the ignoreDev option isn't considered because line 130 is unreachable.

[InfoSec812]

@eL-HaXo - So, there are 2 different paths here because of different versions of the Audit API and NPM... Back in NPM 6.2 there was a structure which is handled by the logic on line 130.. In later versions, they changed the JSON structure returned by the audit API and so the logic on line 118 handles that. Now, with the latest changes, both of those sets of logic are broken yet again and I just don't have the time to keep chasing after NPM's whims. I highly recommend that you use Sonatype's auditjs as a replacement. I am just going to make this project as deprecated.