Report only production packages

[JosXa]

It appears that there is no option to do the checks only for non-development packages at the moment. Is this on the roadmap?

[noahnu]

Not on any roadmap at the moment, but contributions welcome.

Do you want to apply different rules for non-production dependencies, or disable entirely?

[Eli-Black-Work]

For us, we generally only care about dependencies for production packages.

I suppose it could be nice to have different rules for non-production dependencies, though, so that we could do things like this:

• Production dependencies: MIT license only
• Non-production dependencies: MIT, GNU, etc., but no proprietary licenses that require use to pay to use the software.

[JosXa]

Do you want to apply different rules for non-production dependencies, or disable entirely?

In our case, the development packages don't fall under any licensing restrictions and we can just ignore them entirely.

This is a good point however:

Non-production dependencies: MIT, GNU, etc., but no proprietary licenses that require use to pay to use the software.

[MLSTRM]

I also ran into this need/restriction recently and have raised a PR #62 to add in a separate config field so that different rules can be applied for dev dependencies, as well as some logical changes to support it based on the npm audit plugin yarn already has (see here https://github.com/yarnpkg/berry/blob/master/packages/plugin-npm-cli/sources/npmAuditUtils.ts )