Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit false negative #3605

Closed
cronon opened this issue Aug 3, 2021 · 2 comments
Closed

npm audit false negative #3605

cronon opened this issue Aug 3, 2021 · 2 comments

Comments

@cronon
Copy link

cronon commented Aug 3, 2021
edited
Loading

Imagine in my package-lock I have a transitive dependency v1 which has vulnerability fixed in v3. If go to the package-lock and change version of the dependency to v2, which still has the vulnerability, npm audit will not raise a warning about it.

I faced that in one of my projects and managed to isolate this to the following steps:

  1. Create an empty project
  2. Install [email protected]
  3. npm audit shows a warning about [email protected]. The problem within the package is fixed in versions 3.0.1 and 4.0.1
  4. Now we want to resolve it to the version 2 with npm-force-resolutions https://github.com/rogeriochaves/npm-force-resolutions
    4.1. Install the package
    4.2. to your package.json add "resolutions": {"trim-newlines": "^2.0.0"}
    4.3 run ./node_modules/.bin/npm-force-resolutions
    4.4 (seems doesn't affect it - we can run npm ci)
  5. Now run npm audit again and it finds 0 vulnerabilities. Despite both in node_modules and in package-lock we have vulnerable version
npm init --yes
npm i [email protected] npm-force-resolutions

see the warning about vulnerabilities
add "resolutions": {"trim-newlines": "^2.0.0"} to your package.json

./node_modules/.bin/npm-force-resolutions
npm ci
npm audit

see no warning here

I did it with [email protected] and similar thing happened with [email protected]

I don't really understand if it is the problem with npm-force-resolutions or with npm itself. I also opened a ticket there rogeriochaves/npm-force-resolutions#40
@cronon cronon mentioned this issue Aug 3, 2021
Open
@ljharb
Copy link
Contributor

ljharb commented Aug 3, 2021

it's almost surely "force resolutions"; npm isn't designed for that (yet)

@darcyclarke
Copy link
Contributor

As @ljharb noted, this seems like it's an issue with the third-party npm-force-resolutions package/implementation. Based on the usage information on that package, it seems like you have to add a preinstall script that will run & modify the package-lock.json prior to an npm install which then will ensure a specific resolution is applied & the correct version is installed. I can't confirm whether or not this library supports the latest versions of npm (ie.v8) but I'm going to close this as any changes to fix this behavior will be required by that libraries author

@snyk-io snyk-io bot mentioned this issue Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @darcyclarke @cronon