[FEATURE] npm ls outputs the complete dependency tree, including subtrees under extraneous modules

[yalinhuang]

What / Why

npm ls is helpful in discovering installed modules, the usage of which can extend to many best practices regarding software packaging hygiene. One example is to detect if users install adhoc modules without going through proper tooling. This can be done by detecting extraneous annotation on npm ls output.

However, current npm ls truncates the dependencies from extraneous modules -- https://github.com/npm/cli/blob/latest/lib/ls.js#L82 introduced by npm/npm#6064. That is, we would miss the transitive dependencies from adhoc installation. This can lead to false positive on security scan, increasing unknown risks.

I would like to propose revealing all these details under a flag, say --include-extraneous-dep.

Where

• npm ls

How

By feature flag

Current Behavior

npm ls truncates the dependencies from extraneous modules.

Expected Behavior

npm ls --include-extraneous-dep outputs the complete dependency tree.

[duansheli]

想看下当前项目的依赖树
于是 npm ls --depth=1

我的天。。。 一堆的错误

npm ERR! extraneous: @babel/core@7.7.7  xxx
...
...
npm ERR! extraneous: @babel/core@7.7.7  xxx

网上查了下
试了下 npm prune 没效果
想到这应该是个日志吧
npm ls --depth=1 --loglevel slient
还是去不掉

[darcyclarke]

Closing as, this should not be the case in npm v7