Comments (12)
This change is essentially required for this package to continue to be useful and I think it should be prioritized. The IDs provided by npm audit
have been changing rapidly over the past few days; in some cases I've seen a vulnerability have three or four different IDs
from better-npm-audit.
Thank you @jeemok for the update and this great project!
from better-npm-audit.
Hi @ocean89, sorry that I didn't post an update on this issue. The last time I checked, this would require a major rework in processing the security report and might need to handle existing numeric values for backward compatibility. At the moment I don't have much capacity to work on it and would appreciate it if anyone can help with this
from better-npm-audit.
hey all, I've published the beta
version (or v3.7.0) for supporting CVE, CWE, GHSA, and URL IDs. Please try it out and let me know if there is an issue, otherwise, I will republish it under the latest tag next week.
Thank you all again for this amazing support 👍🏻
from better-npm-audit.
you're right @ZedLove, I will update the README to describe more in detail what is supported; in summary:
- npm v6: supports ID (numeric), CVEs, CWE, URL (if it contains GHSA ID)
- npm v7+: supports ID (numeric) & URL (if it contains GHSA ID)
you can refer to these two functions that handle v6 and v7+ advisory for what it checks:
- v6: https://github.com/jeemok/better-npm-audit/blob/beta/src/utils/vulnerability.ts#L51
- v7: https://github.com/jeemok/better-npm-audit/blob/beta/src/utils/vulnerability.ts#L77
from better-npm-audit.
@jeemok I've noticed that, despite ignoring the advisories based on GHSA IDs, I am still seeing the notice about the IDs not matching any found vulns
e.g.
🤝 All good!
8 of the excluded vulnerabilities did not match any of the found vulnerabilities:
from better-npm-audit.
hey @ZedLove, I've updated the unused exception handler and published it under v3.7.1
. Please have a try and let me know if there is an issue :)
the version v3.7.1
is published under the latest
tag, I'll mark this issue closed. Thank you all for your contribution to this!
from better-npm-audit.
hey @guillermaster! 👋🏻 Otsukaresamedesu!
😮 thanks for sharing this! I wasn't aware of it. Let me look into it ...
from better-npm-audit.
Any updates on this? :)
from better-npm-audit.
I did put in a PR for a first crack at implementing this. I'm sure it could use some polishing but may be a good starting point.
from better-npm-audit.
I agree to prioritize this, perhaps there is no feasible solution to support the v7 report now (due to lack of info provided in the audit report), but let's focus on v6 support first 👍🏻
from better-npm-audit.
Thank you @jeemok for addressing this so promptly. Your comment says that CVEs are supported, but I haven't found this to be the case. Is CVE support only available for npm v6?
I can confirm that v3.7.0 does allow me to add exceptions using GHSAs on npm v8.1.0
from better-npm-audit.
Related Issues (20)
- README doesn't fully document "expiry" HOT 4
- [Suggestion] Add path to modules with reported vulnerability in the new UI HOT 1
- .nsprc seems to ignore exceptions when advisories have fields HOT 1
- DeprecationWarning: Invalid 'main' field in ... node_modules/better-npm-audit/package.json' of 'lib/index.js' HOT 2
- Process keeps hanging on Windows 10 HOT 1
- (Add option to) remove vulnerabilities below specified level in the table
- Weird formatting in table and handling of \n
- Json parse failure messages are misleading under some circumstances. HOT 3
- Audit should provide info if it affects dev dependency or production HOT 3
- [Feature Request] Ignore by module name HOT 1
- Support for YAML in .nsprc
- Target specific package versions in --module-ignore HOT 1
- Ignore all vulnerabilities from dependencies installed by given package HOT 2
- Weird wording in "It can be removed" message HOT 6
- Audit not executing if github url present in package.json HOT 1
- Recommended "--omit=dev" option not found for NPM 8 HOT 2
- JSON output HOT 2
- Add an option to remove colors
- Add option to skip over optional dependencies
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from better-npm-audit.