cli
cli copied to clipboard
npm
[BUG] npm audit does not show the package from package.json that depends on the vulnerable package
Is there an existing issue for this?
- [X] I have searched the existing issues
This issue exists in the latest npm version
- [X] I am using the latest npm
Current Behavior
npm audit does not output which of the packages from the package.json dependencies depends on the detected vulnerable package(s).
Expected Behavior
npm should tell me which of the packages I'm using depend(s) on the vulnerable package(s), so that I can update or replace it/them.
Steps To Reproduce
git clone https://github.com/dandv/npm-audit-bug.git && cd npm-audit-bugnpm installnpm audit- Notice the output doesn't mention which of the user's packages from
package.jsondepends on the vulnerable package.
Environment
- npm: 10.6.0
- Node.js: 18.19.0
- OS Name: Fedora Linux 38
- npm config:
; "global" config from /etc/npmrc
; prefix = "/usr/local" ; overridden by user
python = "/usr/bin/python3"
; "user" config from /home/dandv/.npmrc
prefix = "/home/dandv/.local"
; node bin location = /usr/bin/node-18
; node version = v18.19.0
; npm local prefix = /home/dandv/prg/npm-audit-bug
; npm version = 10.6.0
; cwd = /home/dandv/prg/npm-audit-bug
; HOME = /home/dandv
; Run `npm config ls -l` to show all defaults.
Thanks for the report! Improvements to the audit experience are under consideration but we don't have a timeline to share at the moment.
I have the same issue. Ideally this should include the full link from the root package in package.json to the vulnerable package.
