Post npm install audit is bad

[soryy708]

I forked this repository and ran npm install.
After installing, a quick audit was performed and said:

found 54 vulnerabilities (3 low, 49 high, 2 critical)

There's no lockfile (package.lock.json) so I can't run npm audit nor npm audit fix.

[ljharb]

That’s fine, most CVEs are false positives anyways.

[soryy708]

You're betting on chance, without in-depth analysis?

[ljharb]

No, I’d be happy to take a look at it, which is why the issue is still open :-)

however, this is an eslint plugin. Issues in dev deps are largely irrelevant (what does npm audit --production say?), and this project won’t ever be run in production and is configured by the user, so anything that’s like “catastrophic regex backtracking” or “prototype pollution” is simply not applicable to the whole project.

[ljharb]

Certainly we could also add a posttest script that runs npx aud (packages should never have a lockfile), once we figure out which warnings are real, if any.

[soryy708]

npm audit --production says exactly the same as without the --production flag:
"Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile"

npm install did succeed to do an audit, though.

Adding a posttest script sounds like a good idea.

[ljharb]

You can run npx aud --production as well, without a lockfile.

[soryy708]

Note that same should be done for resolvers/node/ and resolvers/webpack/.

[soryy708]

Actually npx aud --production fails because:

Could not install from "tests\files\order-redirect-scoped" as it does not contain a package.json file.

But that's false, because it does have a package.json file.

[ljharb]

Ah, yes, aud doesn't handle file: deps. Filed ljharb/aud#2 for that.

[ljharb]

Looks like npm itself can't handle our file: dev deps ¯\_(ツ)_/¯

[soryy708]

Why? It's in the docs: https://docs.npmjs.com/files/package.json#local-paths

[ljharb]

Presumably because it has a bug. npm install --package-lock --package-lock-only && npm audit --production complains about a malformed lockfile.

[soryy708]

What node & npm versions is this built with?

[ljharb]

In this case, node 13.0.1 and npm 6.12.0, the latest possible of both.

[soryy708]

I just tried this on an Ubuntu VM with Node v8.10.0 and npm v3.5.2 and got the exact same error, plus it said "npm is v3.5.2; we need ^6; installing npm in a temp dir..."

[ljharb]

aud does that, yes

[ljharb]

npm v10.2+ no longer requires a lockfile, so there's no need to use aud or create a lockfile.