snyk
Snyk does not report issues for transitive peer dependencies when testing against package-lock.json
Issue
Snyk does not report issues for transitive peer dependencies when testing against package-lock.json. These issues are reported when testing against package.json after installing node_modules.
Note that since npm v7, transitive peer dependencies are installed automatically without needing to be specified in the project's package.json.
$ snyk test --file=package-lock.json
Testing /Users/kjots/Development/Git/github.com/kjots/snyk-issue-peer-dependencies...
Organization: [redacted]
Package manager: npm
Target file: package-lock.json
Project name: @kjots/snyk-issue-peer-dependencies
Open source: no
Project path: /Users/kjots/Development/Git/github.com/kjots/snyk-issue-peer-dependencies
Licenses: enabled
✔ Tested 1 dependencies for known issues, no vulnerable paths found.
$ snyk test --file=package.json
Testing /Users/kjots/Development/Git/github.com/kjots/snyk-issue-peer-dependencies...
Tested 2 dependencies for known issues, found 1 issue, 1 vulnerable path.
Issues with no direct upgrade or patch:
✗ Cross-site Scripting (XSS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-ANGUCOMPLETEALT-73622] in [email protected]
introduced by [email protected]
No upgrade or patch available
Organization: [redacted]
Package manager: npm
Target file: package.json
Project name: @kjots/snyk-issue-peer-dependencies
Open source: no
Project path: /Users/kjots/Development/Git/github.com/kjots/snyk-issue-peer-dependencies
Licenses: enabled
Expected behavior
Issues for transitive peer dependencies should be reported when testing against either package.json or package-lock.json.
Actual behaviour
Issues for transitive peer dependencies are only reported when testing against package.json.
Steps to reproduce
A repo demonstrating the issue and with complete reproduction steps can be found at https://github.com/kjots/snyk-issue-peer-dependencies.
Hi! @kjots
you're right on this issue, I've investigated further about the team working at @snyk. they don't know about any vulnerabilities. last month I tried to report the vulnerability to @Snyk and the vulnerability has been fixed by the team, but it's not in accordance with the agreement they have. they closed my report through hackerone as informative, they followed what the staff there said, here I am quite disappointed with it. why they don't know about vulnerabilities and follow someone's word instead. and they have closed the vulnerability that I reported but did not send the gift according to the rules they have on responsible disclosure.
