You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.
npm is producing incorrect or undesirable behavior.
Other (see below for feature requests):
What's going wrong?
I am running a npm audit. I am using a library that has an underlying library sshpk. If i add this library to node_modules directly it is the most up to date version and technically all vulnerabilities would be solved at that juncture. However due to some of my dependencies using an outdated version and logging in into the package-lock file it will incorrectly determine that the vulnerability is still there.
I use this library in two places. In one project i managed to get the vulnerabilities to go away using 6.1 and reinstalling the dependencies. When another project seems to continue to include it into their package-lock. And asking me to manually review this vulnerability instead.
How can the CLI team reproduce the problem?
The library in question is prometheus-gc-stats it has an sshpk underlying vulnerability.
I'm opening this issue because:
What's going wrong?
I am running a npm audit. I am using a library that has an underlying library sshpk. If i add this library to node_modules directly it is the most up to date version and technically all vulnerabilities would be solved at that juncture. However due to some of my dependencies using an outdated version and logging in into the package-lock file it will incorrectly determine that the vulnerability is still there.
I use this library in two places. In one project i managed to get the vulnerabilities to go away using 6.1 and reinstalling the dependencies. When another project seems to continue to include it into their package-lock. And asking me to manually review this vulnerability instead.
How can the CLI team reproduce the problem?
The library in question is prometheus-gc-stats it has an sshpk underlying vulnerability.
supporting information:
npm -v
prints: 6.1.0node -v
prints: 9.11.1npm config get registry
prints: https://registry.npmjs.org/The text was updated successfully, but these errors were encountered: