[BUG] npm audit (security/advisories/bulk) inaccuracy #8125
Labels
Comments
benpbolton
added
Bug
4 tasks
wolfy1339
added a commit
to octokit/rest.js
that referenced
this issue
Feb 26, 2025
…, bump `devDependencies` (#487) This aims to resolve #486 `npm vulnerabilities with the 20.x branch Should resolve: GHSA-2p57-rm9w-gvfp GHSA-3xgq-45jj-v275 GHSA-67mh-4wv8-2f99 GHSA-78xj-cgh5-2h22 GHSA-952p-6rrq-rcjv GHSA-9qxr-qj54-h672 GHSA-9wv6-86v2-598j GHSA-c2qf-rxjj-qqgw GHSA-c76h-2ccp-4975 GHSA-c7qv-q95q-8v27 GHSA-f5x3-32g6-xq36 GHSA-grv7-fg5c-xmjg GHSA-h5c3-5r3r-rr8q GHSA-m4v8-wqvr-p9f7 GHSA-m6fv-jmcg-4jfg GHSA-pxg6-pf52-xh8x GHSA-qwcr-r2fm-qrc7 GHSA-rhx6-c78j-4q9w GHSA-rmvr-2pp2-xj38 GHSA-xx4v-prfh-6cgc ---- ### Before the change? <!-- Please describe the current behavior that you are modifying. --> > 31 vulnerabilities (3 low, 18 moderate, 10 high)  ### After the change? <!-- Please describe the behavior or changes that are being added by this PR. --> > 9 moderate severity vulnerabilities  **Important note**: the remaining reported 'moderate' vulnerabilities for `@octokit/request` and `@octokit/plugin-paginate-rest` for GHSA-h5c3-5r3r-rr8q and GHSA-rmvr-2pp2-xj38 are actually mitigated already; npm audit isn't taking the minor versions properly into account as: - @octokit/plugin-paginate-rest is patched in `9.2.2` (applied) - @octokit/request is patched in `8.4.1` (applied) This is a reporting issue: npm/cli#8125 ### Pull request checklist **Important note**: this PR reduces updates (reduces :() test coverage due to the same challenges discovered in #413 (comment) - [x] Tests for the changes have been added (for bug fixes / features) - [ ] Docs have been reviewed and added / updated if needed (for bug fixes / features) ### Does this introduce a breaking change? <!-- If this introduces a breaking change make sure to note it here any what the impact might be --> Please see our docs on [breaking changes](https://github.com/octokit/.github/blob/master/community/breaking_changes.md) to help! - [ ] Yes - [x] No ---- --------- Co-authored-by: wolfy1339 <[email protected]>
wolfy1339
added a commit
to octokit/rest.js
that referenced
this issue
Feb 26, 2025
…, bump `devDependencies` (#487) This aims to resolve #486 `npm vulnerabilities with the 20.x branch Should resolve: GHSA-2p57-rm9w-gvfp GHSA-3xgq-45jj-v275 GHSA-67mh-4wv8-2f99 GHSA-78xj-cgh5-2h22 GHSA-952p-6rrq-rcjv GHSA-9qxr-qj54-h672 GHSA-9wv6-86v2-598j GHSA-c2qf-rxjj-qqgw GHSA-c76h-2ccp-4975 GHSA-c7qv-q95q-8v27 GHSA-f5x3-32g6-xq36 GHSA-grv7-fg5c-xmjg GHSA-h5c3-5r3r-rr8q GHSA-m4v8-wqvr-p9f7 GHSA-m6fv-jmcg-4jfg GHSA-pxg6-pf52-xh8x GHSA-qwcr-r2fm-qrc7 GHSA-rhx6-c78j-4q9w GHSA-rmvr-2pp2-xj38 GHSA-xx4v-prfh-6cgc ---- <!-- Please describe the current behavior that you are modifying. --> > 31 vulnerabilities (3 low, 18 moderate, 10 high)  <!-- Please describe the behavior or changes that are being added by this PR. --> > 9 moderate severity vulnerabilities  **Important note**: the remaining reported 'moderate' vulnerabilities for `@octokit/request` and `@octokit/plugin-paginate-rest` for GHSA-h5c3-5r3r-rr8q and GHSA-rmvr-2pp2-xj38 are actually mitigated already; npm audit isn't taking the minor versions properly into account as: - @octokit/plugin-paginate-rest is patched in `9.2.2` (applied) - @octokit/request is patched in `8.4.1` (applied) This is a reporting issue: npm/cli#8125 **Important note**: this PR reduces updates (reduces :() test coverage due to the same challenges discovered in #413 (comment) - [x] Tests for the changes have been added (for bug fixes / features) - [ ] Docs have been reviewed and added / updated if needed (for bug fixes / features) <!-- If this introduces a breaking change make sure to note it here any what the impact might be --> Please see our docs on [breaking changes](https://github.com/octokit/.github/blob/master/community/breaking_changes.md) to help! - [ ] Yes - [x] No ---- --------- Co-authored-by: wolfy1339 <[email protected]>
mislav
added a commit
to mislav/toolkit
that referenced
this issue
Mar 4, 2025
GHSA-h5c3-5r3r-rr8q Note that `npm audit` will still show the updated version as vulnerable, even though it is patched. npm/cli#8125
mislav
added a commit
to mislav/toolkit
that referenced
this issue
Mar 7, 2025
GHSA-h5c3-5r3r-rr8q Note that `npm audit` will still show the updated version as vulnerable, even though it is patched. npm/cli#8125
mislav
added a commit
to mislav/toolkit
that referenced
this issue
Mar 7, 2025
GHSA-h5c3-5r3r-rr8q Note that `npm audit` will still show the updated version as vulnerable, even though it is patched. npm/cli#8125
|
It appears that the npm registry advisory is (or was) out of date. This isn't anything the npm cli itself is doing. The advisory was updated but it looks like the npm registry copy wasn't. The npm advisory database appears to have since been updated, so we're closing this $ curl -s -X POST -H 'Content-Type: application/json, application/octet-stream' https://registry.npmjs.org/-/npm/v1/security/advisories/bulk --data-binary '{"@octokit/request":["8.4.1"]}'|json
{}In the future, npm registry issues should go through https://www.npmjs.com/support, this repo is for the npm cli itself. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
For complex (multiple major versioned) CVE ranges, https://registry.npmjs.org/-/npm/v1/security/advisories/bulk incorrectly 'simplifies' affected versions.
e.g. GHSA-rmvr-2pp2-xj38 via related: octokit/graphql.js#638
Expected Behavior
Should return an empty object
{}(no vulnerabilities found))Instead, it returns:
Expanding the vulnerable version range without constraints around the vulnerable versions reported by GitHub:
of
Steps To Reproduce
e.g. for this specific CVE:
npm auditincorrectly reports8.4.1as a vulnerable versionEnvironment
11.1.022.14.0The text was updated successfully, but these errors were encountered: