-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm audit backwards compatibility against third party tools #1875
Comments
Thanks for catching this @doddi! |
Hmm, so it seems like, if there's no That would be quite easy to do. |
@isaacs this has definitely sat for a while, I'm going to make it a |
* [#1875](#1875) [npm/arborist#230](npm/arborist#230) Set default advisory `severity`/`vulnerable_range` when missing from audit endpoint data ([@isaacs](https://github.com/isaacs)) * [npm/arborist#231](npm/arborist#231) skip optional deps with mismatched platform or engine ([@nlf](https://github.com/nlf)) * [#2251](#2251) Unpack shrinkwrapped deps not already unpacked ([@isaacs](https://github.com/isaacs), [@nlf](https://github.com/nlf)) * [#2714](#2714) Do not write package.json if nothing changed ([@isaacs](https://github.com/isaacs)) * [npm/rfcs#324](npm/rfcs#324) Prefer peer over prod dep, if both specified ([@isaacs](https://github.com/isaacs)) * [npm/arborist#236](npm/arborist#236) Fix additional peerOptional conflict cases ([@isaacs](https://github.com/isaacs))
Current Behavior:
When performing an npm audit using a third party tool that currently audits successfully when using npm cli v6, the response using npm v7 is 0 vulnerabilities.
The third party tool does not currently implement the new endpoint /-/npm/v1/security/advisories/bulk and as such the cli defaults back to using the quick audit implementation.
The quick audit response is converted to a bulk advisory but there is no
vulnerable_versions
entry and therefore no vulnerabilities are surfaced. Previously,vulnerable_versions
was not a required entry to surface vulnerabilities.Expected Behavior:
An npm audit using v6 and v7 should surface the same vulnerabilities or as a minimum fail safely and error if no
vulnerable_versions
entry is present an a response.Steps To Reproduce:
Run an npm audit using v6/v7 cli and ensure in a quick audit response there is no
vulnerable_versions
entry in the responsev6: vulnerability information is surfaced
v7: no vulnerability information is surfaced
Environment:
The text was updated successfully, but these errors were encountered: