From 809f2d605f00bba085c8a65a18ddebca4419e813 Mon Sep 17 00:00:00 2001 From: Christian24 Date: Fri, 18 Sep 2020 22:22:43 +0200 Subject: [PATCH 1/3] initial draft for audit package --- accepted/0000-audit-package.md | 36 ++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 accepted/0000-audit-package.md diff --git a/accepted/0000-audit-package.md b/accepted/0000-audit-package.md new file mode 100644 index 000000000..b6783f7cc --- /dev/null +++ b/accepted/0000-audit-package.md @@ -0,0 +1,36 @@ +# Audit for a not yet installed package + +## Summary + +Allows the user to request and receive an audit result for a package that has not yet been installed. + +## Motivation + +* In some environments (aka corporate) the npm registry might be behind a firewall like [Nexus Firewall](https://www.sonatype.com/nexus/firewall?smtNoRedir=1) (which automatically blocks vulnerable packages and responds to npm with status code 403. In those scenarios it is hard to say which package is causing trouble. +* packages might have vulnerabilities, so security implications are useful to know before installation. + + + +## Detailed Explanation + +To query audit information on a specific package the `view` command is extended with an `--audit` parameter. The CLI would then query the `advisory endpoint` and get a full advisory for the specified package and version as well as its dependencies. The advisory is similar to `npm audit`, but references to `npm audit fix` can be omitted. + +## Rationale and Alternatives + +* An alternative would be to provide this information on the package detail page in on npmjs.com, but this would probably be harder to implement (since data would need to be cached) and it might be taken as "blame" by package authors. + +## Implementation + +{{Give a high-level overview of implementation requirements and concerns. Be specific about areas of code that need to change, and what their potential effects are. Discuss which repositories and sub-components will be affected, and what its overall code effect might be.}} + +{{THIS SECTION IS REQUIRED FOR RATIFICATION -- you can skip it if you don't know the technical details when first submitting the proposal, but it must be there before it's accepted}} + +## Prior Art + +* This basically reuses almost the entire `npm audit` output. + +## Unresolved Questions and Bikeshedding + +{{Write about any arbitrary decisions that need to be made (syntax, colors, formatting, minor UX decisions), and any questions for the proposal that have not been answered.}} + +{{THIS SECTION SHOULD BE REMOVED BEFORE RATIFICATION}} From 0451d519287ed5f6d35d499f5aaac8cd5a8b6d21 Mon Sep 17 00:00:00 2001 From: Christian24 Date: Wed, 30 Sep 2020 20:07:32 +0200 Subject: [PATCH 2/3] Change the command to be npm audit. --- accepted/0000-audit-package.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/accepted/0000-audit-package.md b/accepted/0000-audit-package.md index b6783f7cc..c2ee9f5d0 100644 --- a/accepted/0000-audit-package.md +++ b/accepted/0000-audit-package.md @@ -13,7 +13,11 @@ Allows the user to request and receive an audit result for a package that has no ## Detailed Explanation -To query audit information on a specific package the `view` command is extended with an `--audit` parameter. The CLI would then query the `advisory endpoint` and get a full advisory for the specified package and version as well as its dependencies. The advisory is similar to `npm audit`, but references to `npm audit fix` can be omitted. +To query audit information on a specific package the `audit` command is extended with an optional package parameter. `npm audit typescript` would fetch audit information for the typescript package. + +Addtionally, the `view` command is extended with audit information too. This can be skipped with a parameter called `--no-audit` like during `install`. + +The CLI would query the `advisory endpoint` and get a full advisory for the specified package and version as well as its dependencies. The advisory is similar to `npm audit`, but references to `npm audit fix` can be omitted. It should also output the version of the package that was queried. ## Rationale and Alternatives @@ -33,4 +37,4 @@ To query audit information on a specific package the `view` command is extended {{Write about any arbitrary decisions that need to be made (syntax, colors, formatting, minor UX decisions), and any questions for the proposal that have not been answered.}} -{{THIS SECTION SHOULD BE REMOVED BEFORE RATIFICATION}} +Do we need to distinguish between locally installed packages and not yet installed packages? \ No newline at end of file From 01274a22f3cdab6fd47486eeaa9f3ab0ff58ecd4 Mon Sep 17 00:00:00 2001 From: Christian24 Date: Wed, 2 Dec 2020 19:10:27 +0100 Subject: [PATCH 3/3] npm audit for a single package updated --- accepted/0000-audit-package.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/accepted/0000-audit-package.md b/accepted/0000-audit-package.md index c2ee9f5d0..68d472b86 100644 --- a/accepted/0000-audit-package.md +++ b/accepted/0000-audit-package.md @@ -14,20 +14,21 @@ Allows the user to request and receive an audit result for a package that has no ## Detailed Explanation To query audit information on a specific package the `audit` command is extended with an optional package parameter. `npm audit typescript` would fetch audit information for the typescript package. - -Addtionally, the `view` command is extended with audit information too. This can be skipped with a parameter called `--no-audit` like during `install`. -The CLI would query the `advisory endpoint` and get a full advisory for the specified package and version as well as its dependencies. The advisory is similar to `npm audit`, but references to `npm audit fix` can be omitted. It should also output the version of the package that was queried. +The CLI would query the `advisory endpoint` and get a full advisory for the specified package and version as well as its dependencies. The advisory is similar to `npm audit`, but references to `npm audit fix` should be changed to only give users indication if the vulnerabilities can be fixed. It should also output the version of the package that was queried. ## Rationale and Alternatives -* An alternative would be to provide this information on the package detail page in on npmjs.com, but this would probably be harder to implement (since data would need to be cached) and it might be taken as "blame" by package authors. +* An alternative would be to provide this information on the package detail page in on npmjs.com, but this would probably be harder to implement (since data would need to be cached) and it might be taken as "blame" by package authors. However, this could be explored in a different RFC. Developers should be able to query this information with the CLI too. ## Implementation -{{Give a high-level overview of implementation requirements and concerns. Be specific about areas of code that need to change, and what their potential effects are. Discuss which repositories and sub-components will be affected, and what its overall code effect might be.}} +* Extend npm audit endpoint to allow querying for a specific package and version. +* Possibly extend aborist to allow to query a single package. +* Extend `npm-audit-report` with a readonly mode, which would change the output of available fixes to something that would signal to the user that a vulnerability can be fixed. +* Modify `lib/audit.js` of the CLI to introduce the new command. + -{{THIS SECTION IS REQUIRED FOR RATIFICATION -- you can skip it if you don't know the technical details when first submitting the proposal, but it must be there before it's accepted}} ## Prior Art