You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
npm audit currently gets confused by package dependencies that are not on public NPM. This means any private wrapper libraries cause important security notices to go unseen, for the entire package subtree. Fortunately, relatively minor code changes could easily enable npm to audit these package trees as well.
Regardless of the source of the npm package, the target is always the local node_modules directory, complete with package.json details. So npm audit should in theory be able to add these entries to its scan list.
The vast majority of the package subtree should be auditable; Only the specific tree nodes off of public NPM registry would be ineligible for CVE reports.
The text was updated successfully, but these errors were encountered:
mcandre
changed the title
[FEATURE] Audit private dependencies
[FEATURE] Turn auditing on for tertiary dependencies re: private dependencies
May 15, 2020
npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.
If your bug is reproducible on v7, please re-file this issue using our new issue template.
If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo
What / Why
npm audit currently gets confused by package dependencies that are not on public NPM. This means any private wrapper libraries cause important security notices to go unseen, for the entire package subtree. Fortunately, relatively minor code changes could easily enable npm to audit these package trees as well.
Regardless of the source of the npm package, the target is always the local node_modules directory, complete with package.json details. So npm audit should in theory be able to add these entries to its scan list.
The vast majority of the package subtree should be auditable; Only the specific tree nodes off of public NPM registry would be ineligible for CVE reports.
The text was updated successfully, but these errors were encountered: