cli
cli copied to clipboard
npm
[BUG] Inconsistent audit json
Is there an existing issue for this?
- [X] I have searched the existing issues
This issue exists in the latest npm version
- [X] I am using the latest npm
Current Behavior
{
"auditReportVersion": 2,
"vulnerabilities": {
"copy-webpack-plugin": {
"name": "copy-webpack-plugin",
"severity": "moderate",
"isDirect": true,
"via": [
"fast-glob",
"globby"
],
"effects": [],
"range": ">=6.0.0",
"nodes": [
"node_modules/copy-webpack-plugin"
],
"fixAvailable": {
"name": "copy-webpack-plugin",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"fast-glob": {
"name": "fast-glob",
"severity": "moderate",
"isDirect": false,
"via": [
"micromatch"
],
"effects": [
"copy-webpack-plugin",
"globby"
],
"range": "*",
"nodes": [
"node_modules/fast-glob"
],
"fixAvailable": {
"name": "copy-webpack-plugin",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"globby": {
"name": "globby",
"severity": "moderate",
"isDirect": false,
"via": [
"fast-glob"
],
"effects": [
"copy-webpack-plugin"
],
"range": ">=8.0.0",
"nodes": [
"node_modules/globby"
],
"fixAvailable": {
"name": "copy-webpack-plugin",
"version": "6.0.0",
"isSemVerMajor": true
}
},
"micromatch": {
"name": "micromatch",
"severity": "moderate",
"isDirect": false,
"via": [
{
"source": 1098615,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<=4.0.7"
}
],
"effects": [
"fast-glob"
],
"range": "*",
"nodes": [
"node_modules/micromatch"
],
"fixAvailable": {
"name": "copy-webpack-plugin",
"version": "6.0.0",
"isSemVerMajor": true
}
}
}
/* METADATA TRUNCATED */
}
Expected Behavior
- In
vulnerabilities > copy-webpack-plugin > viawe have an array of strings["fast-glob","globby"] - In
vulnerabilities > micromatch > viahowever we have a completely different data structure
Shouldn't both be the same? Best regards.
Steps To Reproduce
- In Windows 11
- create a project referencing
copy-webpack-plugin:6.0.0andmicromatch:4.0.7 - Run
npm audit --json - See error
Environment
- npm: 10.8.2
- Node.js: v20.17.0
- OS Name: Windows 11
- npm config:
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc
prefix = "C:\\Users\\<REDACTED>\\AppData\\Roaming\\npm"
; "user" config from C:\Users\<REDACTED>\.npmrc
//<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:_password = (protected)
/<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:email = (protected)
//<REDACTED>/_packaging/<REDACTED>.js/npm/registry/:username = (protected)
; "project" config from C:\dev\<REDACTED>\src\<REDACTED>\.npmrc
@zeiss:registry = "https://<REDACTED>/_packaging/<REDACTED>.js/npm/registry/"
always-auth = true
; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.17.0
; npm local prefix = C:\dev\<REDACTED>\src\<REDACTED>
; npm version = 10.8.2
; cwd = C:\dev\<REDACTED>\src\<REDACTED>
; HOME = C:\Users\<REDACTED>
; Run `npm config ls -l` to show all defaults.
Unable to reproduce the issue as [email protected] . Tried on the environment as mentioned. I have tried with lodash and micromatch packages and the audited json output is looking good for the via field data structure. { "auditReportVersion": 2, "vulnerabilities": { "lodash": { "name": "lodash", "severity": "high", "isDirect": true, "via": [ { "source": 1094500, "name": "lodash", "dependency": "lodash", "title": "Regular Expression Denial of Service (ReDoS) in lodash", "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.17.21" }, { "source": 1096305, "name": "lodash", "dependency": "lodash", "title": "Prototype Pollution in lodash", "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw", "severity": "high", "cwe": [ "CWE-770", "CWE-1321" ], "cvss": { "score": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, "range": ">=3.7.0 <4.17.19" }, { "source": 1096996, "name": "lodash", "dependency": "lodash", "title": "Command Injection in lodash", "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", "severity": "high", "cwe": [ "CWE-77", "CWE-94" ], "cvss": { "score": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, "range": "<4.17.21" } ], "effects": [], "range": "<=4.17.20", "nodes": [ "node_modules/lodash" ], "fixAvailable": true }, "micromatch": { "name": "micromatch", "severity": "moderate", "isDirect": true, "via": [ { "source": 1098681, "name": "micromatch", "dependency": "micromatch", "title": "Regular Expression Denial of Service (ReDoS) in micromatch", "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", "severity": "moderate", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, "range": "<4.0.8" } ], "effects": [], "range": "<4.0.8", "nodes": [ "node_modules/micromatch" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 1, "high": 1, "critical": 0, "total": 2 }, "dependencies": { "prod": 97, "dev": 0, "optional": 0, "peer": 66, "peerOptional": 0, "total": 162 } } }
Feel free to reopen or create new issue with steps and minimal example reproduction steps so that issue can be reproduced every time.
