[RRFC] npm audit <package> for a not yet installed package

[Christian24]

Motivation ("The Why")

In some environments (aka corporate) the NPM Registry might be behind a firewall like Nexus Firewall (which automatically blocks vulnerable packages and responds to npm with status code 403. It would be nice to have the ability to query for vulnerabilities before installing a package.

Example

npm audit <package name> --remote
This would probably not have to report back a detailed report, a summary of vulnerabilities (low, moderate or high) would probably be enough.

How

Query npm audit for a not yet installed, single package.

Current Behaviour

There is nothing I am aware of.

Desired Behaviour

Report a summary of vulnerabilities for a not yet installed package back.

foo package security summary:

0 high vulnerabilities 
0 moderate vulnerabilities 
1 low vulnerability 

References

• n/a

[isaacs]

• Should be a subcommand (ie, there may be a package named "fix")
• Maybe attach this info to npm view?
• Getting the full advisory set for the specified package and its deps is a little more work, but probably way more useful.
• This is semver-minor, can come in a 7.x release.
• much easier if we restrict it to using the new bulk advisory endpoint (since it won't require generating a complete package-lock tree shape, though we'd have to do that anyway to test deps and metavulns, so maybe not much of an issue)

[isaacs]

there may be a package named "fix"

Ah yes, there is: https://www.npmjs.com/package/fix

[darcyclarke]

Action items

• @Christian24 to create a RFC

[Christian24]

Thanks, for the suggestions, @isaacs. I pretty much went with all of them for the RFC, @darcyclarke I opened a RFC, I would call it a draft, so if you have any comments let me know :)

[ruyadorno]

Let's follow up with the conversation in the PR now 😊