eslint-plugin-import icon indicating copy to clipboard operation
eslint-plugin-import copied to clipboard

Published 20 hours ago verified publisher icon import-js

Post `npm install` audit is bad

Open soryy708 opened this issue 6 years ago • 17 comments

I forked this repository and ran npm install. After installing, a quick audit was performed and said:

found 54 vulnerabilities (3 low, 49 high, 2 critical)

There's no lockfile (package.lock.json) so I can't run npm audit nor npm audit fix.

soryy708 avatar Oct 23 '19 17:10 soryy708

That’s fine, most CVEs are false positives anyways.

ljharb avatar Oct 23 '19 18:10 ljharb

You're betting on chance, without in-depth analysis?

soryy708 avatar Oct 23 '19 18:10 soryy708

No, I’d be happy to take a look at it, which is why the issue is still open :-)

however, this is an eslint plugin. Issues in dev deps are largely irrelevant (what does npm audit --production say?), and this project won’t ever be run in production and is configured by the user, so anything that’s like “catastrophic regex backtracking” or “prototype pollution” is simply not applicable to the whole project.

ljharb avatar Oct 23 '19 18:10 ljharb

Certainly we could also add a posttest script that runs npx aud (packages should never have a lockfile), once we figure out which warnings are real, if any.

ljharb avatar Oct 23 '19 18:10 ljharb

npm audit --production says exactly the same as without the --production flag: "Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile"

npm install did succeed to do an audit, though.

Adding a posttest script sounds like a good idea.

soryy708 avatar Oct 23 '19 18:10 soryy708

You can run npx aud --production as well, without a lockfile.

ljharb avatar Oct 23 '19 18:10 ljharb

Note that same should be done for resolvers/node/ and resolvers/webpack/.

soryy708 avatar Oct 23 '19 18:10 soryy708

Actually npx aud --production fails because:

Could not install from "tests\files\order-redirect-scoped" as it does not contain a package.json file.

But that's false, because it does have a package.json file.

soryy708 avatar Oct 23 '19 19:10 soryy708

Ah, yes, aud doesn't handle file: deps. Filed https://github.com/ljharb/aud/issues/2 for that.

ljharb avatar Oct 23 '19 19:10 ljharb

Looks like npm itself can't handle our file: dev deps ¯\_(ツ)_/¯

ljharb avatar Oct 23 '19 19:10 ljharb

Why? It's in the docs: https://docs.npmjs.com/files/package.json#local-paths

soryy708 avatar Oct 23 '19 19:10 soryy708

Presumably because it has a bug. npm install --package-lock --package-lock-only && npm audit --production complains about a malformed lockfile.

ljharb avatar Oct 23 '19 19:10 ljharb

What node & npm versions is this built with?

soryy708 avatar Oct 23 '19 19:10 soryy708

In this case, node 13.0.1 and npm 6.12.0, the latest possible of both.

ljharb avatar Oct 23 '19 19:10 ljharb

I just tried this on an Ubuntu VM with Node v8.10.0 and npm v3.5.2 and got the exact same error, plus it said "npm is v3.5.2; we need ^6; installing npm in a temp dir..."

soryy708 avatar Oct 23 '19 20:10 soryy708

aud does that, yes

ljharb avatar Oct 23 '19 20:10 ljharb

npm v10.2+ no longer requires a lockfile, so there's no need to use aud or create a lockfile.

ljharb avatar Jul 31 '24 21:07 ljharb

Confirmed this has been fixed in newer NodeJS/NPM versions. Audit is good, we have 0 vulns:

C:\Users\USER\Downloads\eslint-plugin-import-main\eslint-plugin-import-main>npm aud --omit=dev
found 0 vulnerabilities

soryy708 avatar Mar 07 '25 12:03 soryy708