Description
Actual behavior
I'm getting some inconsistencies with socket-cli v0.14.68.
Using ZSH and npm is aliased to socket npm
I run npm install and get the following output:
_____ _ _ /---------------
| __|___ ___| |_ ___| |_ | Socket.dev CLI ver 0.14.68:23c5456:b9186436:pub
|__ | . | _| '_| -_| _| | Node: v22.14.0, API token set: BA9wW
|_____|___|___|_,_|___|_|.dev | Command: `socket npm`, cwd: ~/Development/Beyond-Maps/functions/uploadDocument
✔ Socket npm found no risks!
up to date, audited 507 packages in 1s
103 packages are looking for funding
run `npm fund` for details
1 moderate severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
So I run npm audit to get details and get the following:
_____ _ _ /---------------
| __|___ ___| |_ ___| |_ | Socket.dev CLI ver 0.14.68:23c5456:b9186436:pub
|__ | . | _| '_| -_| _| | Node: v22.14.0, API token set: BA9wW
|_____|___|___|_,_|___|_|.dev | Command: `socket npm`, cwd: ~/Development/Beyond-Maps/functions/uploadDocument
found 0 vulnerabilities
So the socket NPM wrapper is reporting 1 vulnerability with npm install and 0 with npm audit. But if I run npm audit fix, it acknowledges and explains the vulnerability.
_____ _ _ /---------------
| __|___ ___| |_ ___| |_ | Socket.dev CLI ver 0.14.68:23c5456:b9186436:pub
|__ | . | _| '_| -_| _| | Node: v22.14.0, API token set: BA9wW
|_____|___|___|_,_|___|_|.dev | Command: `socket npm`, cwd: ~/Development/Beyond-Maps/functions/uploadDocument
up to date, audited 507 packages in 4s
103 packages are looking for funding
run `npm fund` for details
# npm audit report
vite 6.2.0 - 6.2.3
Severity: moderate
Vite bypasses server.fs.deny when using ?raw?? - https://github.com/advisories/GHSA-x574-m823-4x7w
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - https://github.com/advisories/GHSA-4r4m-qw57-chr8
fix available via `npm audit fix`
node_modules/vite
1 moderate severity vulnerability
To address all issues, run:
npm audit fix
But it doesn't actually bump the dependency and fix it. If I unalias npm and then run npm audit fix without using the socket wrapper, it complains about some peer deps, but fixes the vulnerability.
:
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @typescript-eslint/utils@7.18.0
npm warn Found: eslint@9.22.0
npm warn node_modules/eslint
npm warn dev eslint@"^9.22.0" from the root project
npm warn 7 more (@eslint-community/eslint-utils, ...)
npm warn
npm warn Could not resolve dependency:
npm warn peer eslint@"^8.56.0" from @typescript-eslint/utils@7.18.0
npm warn node_modules/eslint-plugin-vitest/node_modules/@typescript-eslint/utils
npm warn @typescript-eslint/utils@"^7.7.1" from eslint-plugin-vitest@0.5.4
npm warn node_modules/eslint-plugin-vitest
npm warn
npm warn Conflicting peer dependency: eslint@8.57.1
npm warn node_modules/eslint
npm warn peer eslint@"^8.56.0" from @typescript-eslint/utils@7.18.0
npm warn node_modules/eslint-plugin-vitest/node_modules/@typescript-eslint/utils
npm warn @typescript-eslint/utils@"^7.7.1" from eslint-plugin-vitest@0.5.4
npm warn node_modules/eslint-plugin-vitest
changed 1 package, and audited 507 packages in 2s
103 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
Expected behavior
I would expect to get the same results with or without the socket wrapper (assuming no risks identified by socket). If I run npm install and it reports a vulnerability, then npm audit should explain the vulnerability. If npm audit reports that a vulnerability can be fixed, then npm audit fix should fix the vulnerability
Additional details
I can provide the package.json and/or the package-lock.json if needed.