idea-nodesecurity
idea-nodesecurity copied to clipboard
Report the full dependency path for vulnerable package
Prerequisites
- [X] Plugin is in the latest version
- [X] Issue was not reported yet
- [ ] Stack trace (if provided) contains
mobi.hsz.idea.gitignore
package name
Description
In my project, I am using jsdom
package. Node Security plugin complains it has a dependency on hoek
which is vulnerable. However this dependency is not direct and actually, jsdom
depends on a package which depends on a package which depends on hoek
. It takes a lot of time to figure out such dependency path.
It would be awesome if Node Security plugin could report on the full dependency path, like:
jsdom > package A > package B > hoek is vulnerable...
or
hoek is vulnerable...
Dependencies:
jsdom=^11.7.0 > packageA=^version > packageB=^version > hoek=^2.2
jsdom=^11.7.0 > packageC=^version > hoek=^2.3
Probably the second is better as it can display multiple dependency branches leading to the issue...