Allow adding npm audit exceptions

[westy92]

What's the feature?

Add the ability to whitelist certain vulnerabilities during npm audit.

What problem is the feature intended to solve?

Allow adding exceptions for vulnerabilities so they don't show up in npm audit.

Is the absence of this feature blocking you or your team? If so, how?

No.

Is this feature similar to an existing feature in another tool?

NSP had it. You could have an .nsprc file that looked like this:

{
  "exceptions": [
    "https://nodesecurity.io/advisories/534"
  ]
}

Is this a feature you're prepared to implement, with support from the npm CLI team?

I'll assist as much as I can.

[glenjamin]

I would like a feature like this as well, but ideally when adding an exception I would like to be able to state

• The advisory (as in the NSP example)
• The dependency path I'm excepting
• A textual reason

eg.

exceptions: [
  {
    advisory: "https://nodesecurity.io/advisories/612",
    path: "webpack > watchpack > chokidar > fsevents > node-pre-gyp > rc > deep-extend"
    reason: "vulnerable code path not reachable"
]

It would be awesome if there was some sort of wizard which would generate the above with prompting driven by the audit results.

I had a quick look at the snyk equivalent of this feature, and it also supports an expiry date on the exeception, which seems like a decent idea (although it doesn't have a concept of path).

The reason I think path is useful is because a deeply nested transitive dependency could be exploitable via one dependency path, but not via another.

[alexander-akait]

Without this feature impossible replace nsp on npm audit and using this in CI. Sometimes impossible fix all security problem in transitive packages.