[BUG] npm audit doesn't show github Dependabot alerts #4681
Labels
Bug
thing that needs fixing
Priority 2
secondary priority issue
Release 8.x
work is associated with a specific npm 8 release
Comments
Ockejanssen
added
Bug
lukekarrys
added a commit
that referenced
this issue
Apr 12, 2022
When generating an audit report, a cache of seen advisories is kept to avoid doing any repeat fanout work on its nodes. Previously this cache was also preventing audits from being added to the report. This has been fixed so the cache is only used to prevent extra work, but all valid advisories are added to the output. Fixes #4681
|
Thanks for the report! I've tracked this down and figured out we were erroneously filtering out some advisories. This should be fixed in this week's release. |
lukekarrys
added
Priority 2
fritzy
pushed a commit
that referenced
this issue
Apr 13, 2022
When generating an audit report, a cache of seen advisories is kept to avoid doing any repeat fanout work on its nodes. Previously this cache was also preventing audits from being added to the report. This has been fixed so the cache is only used to prevent extra work, but all valid advisories are added to the output. Fixes #4681
|
Is it possible that this fix will also be part of npm version 7 |
|
v7 is EOL, so i doubt it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
package.json
with
"dependencies": {
"node-forge": "^0.10.0"
}
npm audit
npm audit report
node-forge <=1.2.1
Severity: moderate
Expected Behavior
CVE-2022-0122 (moderate)
CVE-2022-24773 (moderate)
CVE-2022-24772 (high)
CVE-2022-24771 (high)
The issue appears in npm 7 and npm 8. npm 6 works as expected.
Steps To Reproduce
npm 8
npm i node-forge@^0.10.0
npm shrinkwrap
npm audit
Only 1 moderate
Environment
; copy and paste output from `npm config ls` hereThe text was updated successfully, but these errors were encountered: