idea-nodesecurity icon indicating copy to clipboard operation
idea-nodesecurity copied to clipboard

Published 20 hours ago verified publisher icon hsz

Report the full dependency path for vulnerable package

Open pkuczynski opened this issue 6 years ago • 0 comments

Prerequisites

  • [X] Plugin is in the latest version
  • [X] Issue was not reported yet
  • [ ] Stack trace (if provided) contains mobi.hsz.idea.gitignore package name

Description

In my project, I am using jsdom package. Node Security plugin complains it has a dependency on hoek which is vulnerable. However this dependency is not direct and actually, jsdom depends on a package which depends on a package which depends on hoek. It takes a lot of time to figure out such dependency path.

It would be awesome if Node Security plugin could report on the full dependency path, like:

jsdom > package A > package B > hoek is vulnerable...

or

hoek is vulnerable...
Dependencies:
  jsdom=^11.7.0 > packageA=^version > packageB=^version > hoek=^2.2
  jsdom=^11.7.0 > packageC=^version > hoek=^2.3

Probably the second is better as it can display multiple dependency branches leading to the issue...

pkuczynski avatar Apr 12 '18 14:04 pkuczynski