Skip to content

[BUG] npm audit backwards compatibility against third party tools #1875

New issue
New issue
Closed
Closed
[BUG] npm audit backwards compatibility against third party tools#1875
Assignees
isaacs
Labels
Bugthing that needs fixingPriority 2secondary priority issueRelease 7.xwork is associated with a specific npm 7 release
Milestone
OSS - Sprint 24
@doddi

Description

@doddi
doddi
opened on Sep 29, 2020

Current Behavior:

When performing an npm audit using a third party tool that currently audits successfully when using npm cli v6, the response using npm v7 is 0 vulnerabilities.

The third party tool does not currently implement the new endpoint /-/npm/v1/security/advisories/bulk and as such the cli defaults back to using the quick audit implementation.

The quick audit response is converted to a bulk advisory but there is no vulnerable_versions entry and therefore no vulnerabilities are surfaced. Previously, vulnerable_versions was not a required entry to surface vulnerabilities.

Expected Behavior:

An npm audit using v6 and v7 should surface the same vulnerabilities or as a minimum fail safely and error if no vulnerable_versions entry is present an a response.

Steps To Reproduce:

Run an npm audit using v6/v7 cli and ensure in a quick audit response there is no vulnerable_versions entry in the response
v6: vulnerability information is surfaced
v7: no vulnerability information is surfaced

Environment:

  • OS: MacOS
  • Node: 14.2.0
  • npm: v7.0.0-beta.12 commit 9bc6966

Metadata

Metadata

Assignees

Labels

Bugthing that needs fixingPriority 2secondary priority issueRelease 7.xwork is associated with a specific npm 7 release

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions