`npm install`和`npm audit`之间的区别是什么？

Question

After the recent addition of npm audit (for auditing dependencies) I noticed a huge discrepancy between how many packages are added (installed in node_modules ) and how many are audited by npm . Here's an example:

Here are my questions:

• Am I correct that 281 is the total number of packages installed?
• Why is npm auditing so many more packages than the ones in my project?

It makes sense to me that npm might have to go back out and audit other package versions if it finds a vulnerability, but in this case it found 0 vulnerabilities so why the additional work?

UPDATE:

I think there's a little confusion about top-level vs sub dependencies. Run the following commands to reproduce a similar discrepancy:

mkdir test-npm-count-discrepancy
cd test-npm-count-discrepancy
npm init
npm i standard-version

Notice that (at the time of writing this) 200+ dependencies are added (ie standard-version and all its sub dependencies) but 1000+ packages are audited . Just to re-iterate, the main question from above is "why is npm auditing more packages than what's actually installed?".

Answer 1

For the first question: - the community, without a link to something like a dependency list or your package.json, wouldn't really be able to say so. However, if in your package file only has a few, then it still is normal most of the time. You may have installed 12 yourself, but NPM auto-installs most, if not all, dependencies for your app's dependencies for you. It helps things speed up your workflow.

For the second question: - as mentioned in my response to the first question, it is auditing both the ones you installed and the ones that were installed automatically so that the ones you installed work properly.

For the third question: - It always checks for vulnerabilities marked by developers so you can have the latest version which is, most of the time, the least buggy, the most functional, and most secure.

Edit: The whole point of npm install is to update current dependencies and install new ones to the directory. The point of npm audit is to check for dependencies that have updates marked to fix security issues.

Edit 2: I think I've got it: it could be auditing the installed dependencies for production, your dependencies, and the dev-dependencies to warn you that one of your dependencies was built insecurely by the developer.