pnpm audit does not read .npmrc audit-level #10540
Description
Verify latest release
- I verified that the issue exists in the latest pnpm release
pnpm version
10.27.0
Which area(s) of pnpm are affected? (leave empty if unsure)
CLI
Link to the code that reproduces this issue or a replay of the bug
see repo steps
Reproduction steps
11:12:49.368 in .../Desktop
➜ mkdir test && cd test
11:12:49.368 in .../Desktop/test
➜ echo 24.12.0 > .node-version
11:13:07.761 in .../Desktop/test
➜ pnpm --version
10.27.0
11:13:31.690 in .../Desktop/test
➜ pnpm i eslint@9.25.0
Packages: +85
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Progress: resolved 85, reused 79, downloaded 6, added 85, done
dependencies:
+ eslint 9.25.0 (9.39.2 is available)
Done in 1.7s using pnpm v10.27.0
11:13:47.331 in .../Desktop/test
➜ echo audit-level = critical > .npmrc
11:14:20.346 in .../Desktop/test
➜ pnpm audit
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate │ eslint has a Stack Overflow when serializing objects │
│ │ with circular references │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ eslint │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <9.26.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=9.26.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ .>eslint │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-p5wg-g6qr-c7cg │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low │ @eslint/plugin-kit is vulnerable to Regular Expression │
│ │ Denial of Service attacks through ConfigCommentParser │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ @eslint/plugin-kit │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.3.4 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=0.3.4 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ .>eslint>@eslint/plugin-kit │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-xffm-g5w8-qvg7 │
└─────────────────────┴────────────────────────────────────────────────────────┘
2 vulnerabilities found
Severity: 1 low | 1 moderate
11:14:26.450 in .../Desktop/test
➜ echo $?
1Describe the Bug
with audit-level set in npmrc as above, the pnpm audit command returns non 0 code
Expected Behavior
pnpm audit should return 0
Which Node.js version are you using?
24.12.0
Which operating systems have you used?
- macOS
- Windows
- Linux
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response