Make `npm ls somepackage` command respect version range

Question

I'm trying to use npm ls to find the source of security warnings. The docs mention that:

Positional arguments are name@version-range identifiers, which will limit the results to only the paths to the packages named.

I'm fixing CVE-2020-7598 for package minimist which says:

CVE-2020-7598 Vulnerable versions: < 0.2.1 Patched version: 0.2.1

Now npm ls minimist gives all dependencies tracked, but I want to do it for the specific range. So I've tried:

• npm ls "minimist<0.2.1" gives The system cannot find the file specified.
• npm ls "minimist@<0.2.1" gives The system cannot find the file specified.
• npm ls "minimist@<=0.2.0" gives The system cannot find the file specified.
• npm ls "minimist@0.2.0" gives -- (empty) (which makes sense because eg 0.0.8 is in my tree)

So, how can I make npm ls return packages below a certain version in my dependency tree?

Answer 1

The synopsis for the command you want is as follows:

npm ls <pkg>@"<comparator>"
             ^            ^

Note: The double quotes are wrapped around the comparator part only.

For instance:

npm ls minimist@"<0.2.1"
                ^      ^

Any valid semver range comparators are permitted between the quotes. For example:

npm ls minimist@"<=0.2.0 >=0.0.8"
                ^               ^