Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] NPM v8 Audit Output Confusing #4161

Open
2 tasks done
akr24 opened this issue Dec 11, 2021 · 1 comment
Open
2 tasks done

[BUG] NPM v8 Audit Output Confusing #4161

akr24 opened this issue Dec 11, 2021 · 1 comment
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release

Comments

@akr24
Copy link

akr24 commented Dec 11, 2021
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

I use npm audit in some CI/CD pipelines that I manage. We're in the process of migrating our projects to Node v16 and NPM v8. When using npm audit on NPM v8, I get some confusing output that I don't really know how to interpret. Many reported vulnerabilities lack a reference number or a link to a GitHub advisories page. In the image below, the first vulnerability reported by npm audit (called ansi-regex) contains a "via" array with and object containing source, dependency, and URL (GitHub advisory) info. The subsequent vulnerability (called cliui) contains a "via" array with hardly any information at all.
Screen Shot 2021-11-18 at 11 31 37 PM
I assume that the cliui vulnerability traces all the way up to the ansi-regex one (guessing because via contains strip-ansi and wrap-ansi), but I can't be totally certain. I don't know how to interpret the differences in these vulnerability reports. Does every vulnerability have a reference number/GitHub Advisories page? Is there a way to run npm audit such that each vulnerability reported contains the same information? If not, I would find this tool really frustrating to use.

Full output:
{
"auditReportVersion": 2,
"vulnerabilities": {
"ansi-regex": {
"name": "ansi-regex",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1004946,
"name": "ansi-regex",
"dependency": "ansi-regex",
"title": " Inefficient Regular Expression Complexity in chalk/ansi-regex",
"url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw",
"severity": "moderate",
"range": ">2.1.1 <5.0.1"
}
],
"effects": [
"strip-ansi"
],
"range": ">2.1.1 <5.0.1",
"nodes": [
"node_modules/inquirer/node_modules/ansi-regex",
"node_modules/nsp/node_modules/ansi-regex"
],
"fixAvailable": true
},
"anymatch": {
"name": "anymatch",
"severity": "low",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"chokidar"
],
"range": "1.2.0 - 1.3.2",
"nodes": [
"node_modules/anymatch"
],
"fixAvailable": false
},
"babel-cli": {
"name": "babel-cli",
"severity": "high",
"isDirect": true,
"via": [
"chokidar"
],
"effects": [],
"range": "",
"nodes": [
"node_modules/babel-cli"
],
"fixAvailable": false
},
"braces": {
"name": "braces",
"severity": "low",
"isDirect": false,
"via": [
{
"source": 1006342,
"name": "braces",
"dependency": "braces",
"title": "Regular Expression Denial of Service in braces",
"url": "https://github.com/advisories/GHSA-g95f-p29q-9xw4",
"severity": "low",
"range": "<2.3.1"
}
],
"effects": [
"micromatch"
],
"range": "<2.3.1",
"nodes": [
"node_modules/braces"
],
"fixAvailable": false
},
"chokidar": {
"name": "chokidar",
"severity": "high",
"isDirect": false,
"via": [
"anymatch",
"glob-parent"
],
"effects": [
"babel-cli",
"glob-watcher"
],
"range": "1.0.0-rc1 - 2.1.8",
"nodes": [
"node_modules/chokidar",
"node_modules/glob-watcher/node_modules/chokidar"
],
"fixAvailable": false
},
"cli-table2": {
"name": "cli-table2",
"severity": "high",
"isDirect": false,
"via": [
"lodash"
],
"effects": [
"nsp"
],
"range": "",
"nodes": [
"node_modules/cli-table2"
],
"fixAvailable": {
"name": "nsp",
"version": "2.8.1",
"isSemVerMajor": true
}
},
"glob-base": {
"name": "glob-base",
"severity": "high",
"isDirect": false,
"via": [
"glob-parent"
],
"effects": [
"parse-glob"
],
"range": "",
"nodes": [
"node_modules/glob-base"
],
"fixAvailable": false
},
"glob-parent": {
"name": "glob-parent",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1005154,
"name": "glob-parent",
"dependency": "glob-parent",
"title": "Regular expression denial of service",
"url": "https://github.com/advisories/GHSA-ww39-953v-wcq6",
"severity": "high",
"range": "<5.1.2"
}
],
"effects": [
"chokidar",
"glob-base",
"glob-stream"
],
"range": "<5.1.2",
"nodes": [
"node_modules/glob-parent",
"node_modules/glob-stream/node_modules/glob-parent",
"node_modules/glob-watcher/node_modules/glob-parent"
],
"fixAvailable": false
},
"glob-stream": {
"name": "glob-stream",
"severity": "high",
"isDirect": false,
"via": [
"glob-parent"
],
"effects": [
"vinyl-fs"
],
"range": "5.3.0 - 6.1.0",
"nodes": [
"node_modules/glob-stream"
],
"fixAvailable": {
"name": "gulp",
"version": "3.9.1",
"isSemVerMajor": true
}
},
"glob-watcher": {
"name": "glob-watcher",
"severity": "high",
"isDirect": false,
"via": [
"chokidar"
],
"effects": [],
"range": ">=3.0.0",
"nodes": [
"node_modules/glob-watcher"
],
"fixAvailable": true
},
"gulp": {
"name": "gulp",
"severity": "high",
"isDirect": true,
"via": [
"vinyl-fs"
],
"effects": [],
"range": ">=4.0.0",
"nodes": [
"node_modules/gulp"
],
"fixAvailable": {
"name": "gulp",
"version": "3.9.1",
"isSemVerMajor": true
}
},
"inquirer": {
"name": "inquirer",
"severity": "moderate",
"isDirect": false,
"via": [
"string-width",
"strip-ansi"
],
"effects": [],
"range": "3.2.0 - 7.0.4",
"nodes": [
"node_modules/inquirer"
],
"fixAvailable": true
},
"isparta": {
"name": "isparta",
"severity": "high",
"isDirect": true,
"via": [
"nomnomnomnom"
],
"effects": [],
"range": ">=3.1.0",
"nodes": [
"node_modules/isparta"
],
"fixAvailable": {
"name": "isparta",
"version": "3.0.4",
"isSemVerMajor": true
}
},
"lodash": {
"name": "lodash",
"severity": "critical",
"isDirect": false,
"via": [
{
"source": 1005365,
"name": "lodash",
"dependency": "lodash",
"title": "Command Injection in lodash",
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"severity": "high",
"range": "<4.17.21"
},
{
"source": 1006094,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-p6mc-m468-83gw",
"severity": "high",
"range": "<4.17.19"
},
{
"source": 1006231,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-jf85-cpcp-j695",
"severity": "critical",
"range": "<4.17.12"
},
{
"source": 1006298,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype pollution in lodash",
"url": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm",
"severity": "moderate",
"range": "<4.17.11"
},
{
"source": 1006517,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-fvqr-27wr-82fm",
"severity": "low",
"range": "<4.17.5"
}
],
"effects": [
"cli-table2"
],
"range": "<=4.17.20",
"nodes": [
"node_modules/cli-table2/node_modules/lodash"
],
"fixAvailable": {
"name": "nsp",
"version": "2.8.1",
"isSemVerMajor": true
}
},
"mem": {
"name": "mem",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1006311,
"name": "mem",
"dependency": "mem",
"title": "Denial of Service in mem",
"url": "https://github.com/advisories/GHSA-4xcv-9jjx-gfj3",
"severity": "moderate",
"range": "<4.0.0"
}
],
"effects": [
"os-locale"
],
"range": "<4.0.0",
"nodes": [
"node_modules/mem"
],
"fixAvailable": true
},
"micromatch": {
"name": "micromatch",
"severity": "high",
"isDirect": false,
"via": [
"braces",
"parse-glob"
],
"effects": [
"anymatch"
],
"range": "0.2.0 - 2.3.11",
"nodes": [
"node_modules/micromatch"
],
"fixAvailable": false
},
"nomnomnomnom": {
"name": "nomnomnomnom",
"severity": "high",
"isDirect": false,
"via": [
"underscore"
],
"effects": [
"isparta"
],
"range": "",
"nodes": [
"node_modules/nomnomnomnom"
],
"fixAvailable": {
"name": "isparta",
"version": "3.0.4",
"isSemVerMajor": true
}
},
"nsp": {
"name": "nsp",
"severity": "high",
"isDirect": true,
"via": [
"cli-table2"
],
"effects": [],
"range": ">=3.0.0",
"nodes": [
"node_modules/nsp"
],
"fixAvailable": {
"name": "nsp",
"version": "2.8.1",
"isSemVerMajor": true
}
},
"os-locale": {
"name": "os-locale",
"severity": "moderate",
"isDirect": false,
"via": [
"mem"
],
"effects": [
"yargs"
],
"range": "2.0.0 - 3.0.0",
"nodes": [
"node_modules/nsp/node_modules/os-locale"
],
"fixAvailable": true
},
"parse-glob": {
"name": "parse-glob",
"severity": "high",
"isDirect": false,
"via": [
"glob-base"
],
"effects": [
"micromatch"
],
"range": ">=2.1.0",
"nodes": [
"node_modules/parse-glob"
],
"fixAvailable": false
},
"string-width": {
"name": "string-width",
"severity": "moderate",
"isDirect": false,
"via": [
"strip-ansi"
],
"effects": [
"inquirer"
],
"range": "2.1.0 - 4.1.0",
"nodes": [
"node_modules/inquirer/node_modules/string-width",
"node_modules/nsp/node_modules/string-width"
],
"fixAvailable": true
},
"strip-ansi": {
"name": "strip-ansi",
"severity": "moderate",
"isDirect": false,
"via": [
"ansi-regex"
],
"effects": [
"inquirer",
"string-width"
],
"range": "4.0.0 - 5.2.0",
"nodes": [
"node_modules/inquirer/node_modules/strip-ansi",
"node_modules/nsp/node_modules/strip-ansi"
],
"fixAvailable": true
},
"underscore": {
"name": "underscore",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1005367,
"name": "underscore",
"dependency": "underscore",
"title": "Arbitrary Code Execution in underscore",
"url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq",
"severity": "high",
"range": ">=1.3.2 <1.12.1"
}
],
"effects": [
"nomnomnomnom"
],
"range": "1.3.2 - 1.12.0",
"nodes": [
"node_modules/underscore"
],
"fixAvailable": {
"name": "isparta",
"version": "3.0.4",
"isSemVerMajor": true
}
},
"vinyl-fs": {
"name": "vinyl-fs",
"severity": "high",
"isDirect": false,
"via": [
"glob-stream"
],
"effects": [
"gulp"
],
"range": ">=2.4.2",
"nodes": [
"node_modules/vinyl-fs"
],
"fixAvailable": {
"name": "gulp",
"version": "3.9.1",
"isSemVerMajor": true
}
},
"yargs": {
"name": "yargs",
"severity": "moderate",
"isDirect": false,
"via": [
"os-locale",
"yargs-parser"
],
"effects": [],
"range": "8.0.0-candidate.0 - 12.0.5",
"nodes": [
"node_modules/nsp/node_modules/yargs"
],
"fixAvailable": true
},
"yargs-parser": {
"name": "yargs-parser",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1005534,
"name": "yargs-parser",
"dependency": "yargs-parser",
"title": "Prototype Pollution in yargs-parser",
"url": "https://github.com/advisories/GHSA-p9pc-299p-vxgp",
"severity": "moderate",
"range": ">=6.0.0 <13.1.2"
}
],
"effects": [
"yargs"
],
"range": "6.0.0 - 13.1.1",
"nodes": [
"node_modules/nsp/node_modules/yargs-parser"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 8,
"high": 15,
"critical": 1,
"total": 26
},
"dependencies": {
"prod": 32,
"dev": 1129,
"optional": 41,
"peer": 0,
"peerOptional": 0,
"total": 1160
}
}
}

Expected Behavior

NPM audit reports all vulnerabilities with the same level of information.

Steps To Reproduce

  1. Node v16 and NPM v8 with any node project
  2. run "npm audit" or "npm audit --json"
  3. See the differences in information for reported vulnerabilities.

Environment

  • npm: 8.0.0
  • Node: 16.11.1
  • OS: Ubuntu 18.04.3 LTS
@akr24 akr24 added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Dec 11, 2021
@cameronbosnic
Copy link

Bump

@adevine adevine mentioned this issue Jan 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akr24 @cameronbosnic