-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm audit places false blame #506
Comments
This is a great catch; i don’t use lockfiles on published projects so haven’t run into it, but the range, not the locked version, is the only thing that should matter on a published project. I don’t think npm can avoid having a way to differentiate apps from packages, tbh :-/ |
I think I am seeing the same issue. |
npm If your bug is preproducible on If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo Closing: This is an automated message. |
What / Why
npm audit
reports a list of vulnerable packages per package-lock.json. This results in spam to maintainers as the audit report places frequently false blame for installing the vulnerable version.When
package-lock.json was created before a vulnerability fix was released it blocks update to an in-range vulnerability fix.
Where
How
Current Behavior
Steps to Reproduce
You can clone https://github.com/istanbuljs/nyc and check-out the v14.1.1 tag which has an old package-lock.json, run
npm audit
Expected Behavior
This reflects the fact that the source of the vulnerability is an outdated package-lock.json which is blocking an in-range update. My view is that
istanbul-reports
should not be named bynpm audit
unless the vulnerability fix is out of range, for example if istanbul-reports depends onhandlebars@^4
but fixing requires upgrade to[email protected]
). The other exception is bundled dependencies, if a vulnerable version is pulled in due to bundling then it is proper to name the package which did the bundling.Who
References
The text was updated successfully, but these errors were encountered: