lerna-audit reorders package.json properties even with --no-fix and when there are no vulnerabilities

[alexmcmanus]

lerna-audit reorders the properties in package.json files even when the --no-fix flag is used and there are no vulnerabilities. As well as randomly changing files in the Git working directory, this causes problems when it's used as pre-publish check, as the publish then fails because the working directory is not clean.

I think it should restore the original unchanged files if the user specifies --no-fix, or if no vulnerabilities were detected. What it actually does is re-save the file via arborist in all scenarios other than an error being thrown, which is where the reordering comes from.

There are a couple of scenarios in which package.json can change unexpectedly. The first is if your dependencies are not alphabetically ordered - arborist sorts them. The second is when your dependencies are only other Lerna packages - lerna-audit strips them all out of package.json for audit to run, leaving no dependencies. Arborist is asked to update this file, and as there are no existing dependencies to update, it just appends them at the end. Same for dev dependencies.

Ideally (in my opinion), lerna-audit would make minimal changes to package.json even when fixing vulnerabilities.This reordering seems a little unexpected.

There is a somewhat-related issue + PR about a new version of arborist: https://github.com/tnobody/lerna-audit/issues/25. I'd suggest dropping it altogether: update the original JSON with the new version numbers and save the stringify-ed result.

I'm using lerna-audit 1.3.1.

[svettwer]

Hi :wave:

We removed arborist from the project. Nevertheless, reordering dependencies/properties is still a thing. Some work has to be done to consider property position while merging project internal depenencies to the audited package.json.