cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] npm audits git dependencies

Open PierreJeanjacquot opened this issue 3 years ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

install from github a package sharing the same name as an existing package of the npmjs registry

  • the node_modules are installed from the github repository
  • the metadata are fetched from the npmjs registry with the package name declared in the package.json

Expected Behavior

when a package is NOT installed from npmjs, do NOT attempt to fetch metadata from npmjs.

Steps To Reproduce

use the latest npm release use an empty directory as working directory

I created a minimal repository to reproduce the issue at https://github.com/PierreJeanjacquot/my-custom-debug

install the package from github

npm i github:PierreJeanjacquot/my-custom-debug#main

npm install reports 1 low severity vulnerability

the custom debug package is correctly installed from github

npm ls debug

install-test@ /home/pierre/install-test
└── [email protected] (git+ssh://[email protected]/PierreJeanjacquot/my-custom-debug.git#abfeeee014c6cfc6a3a11beec5595a18c31f6704)

however, npm audit resolves the custom package as debug.

npm audit

# npm audit report

debug  <2.6.9
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
No fix available
node_modules/debug

1 low severity vulnerability

Some issues need review, and may require choosing
a different dependency.

Environment

  • npm: 8.13.2
  • Node.js: v14.19.1
  • OS Name: Ubuntu 20.04
  • System Model Name:
  • npm config:
; "user" config from /home/pierre/.npmrc

//registry.npmjs.org/:_authToken = (protected) 

; node bin location = /home/pierre/.nvm/versions/node/v14.19.1/bin/node
; node version = v14.19.1
; npm local prefix = /home/pierre/install-test
; npm version = 8.13.2
; cwd = /home/pierre/install-test
; HOME = /home/pierre
; Run `npm config ls -l` to show all defaults.

PierreJeanjacquot avatar Jun 30 '22 15:06 PierreJeanjacquot

We also ran into this in rustdoc with the following package.json:

{
  "dependencies": {
    "browser-ui-test": "^0.20.6",
    "eslint": "^8.6.0",
    "eslint-js": "github:eslint/js"
  }
}

Which led to this terrifying message from npm audit:

eslint-js  *
Severity: critical
Malware in eslint-js - https://github.com/advisories/GHSA-cm97-4mmh-634c
No fix available
node_modules/eslint-js

lolbinarycat avatar Jun 05 '25 22:06 lolbinarycat