npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

How am I supposed to address `npm audit` vulnerabilities that don't apply to me?

The general exception list feature request was originally filed here, and the devDependencies exclusion feature request was originally filed here. I haven’t commented in either, but I decided to resurrect them both here.


When I run npm audit, I find that none of the vulnerabilities actually apply to me. They all deal with Karma, and they already know about the issue. My module itself only has 8 runtime dependencies (including indirect), none of which are vulnerable.

How am I supposed to address the npm audit result, since Karma knows about the issue, but it still doesn’t really affect me?

(I’m more likely to download a malicious package than I am to actually get bit by any of these due to Karma.)

Also, while we’re on that subject, shouldn’t there be a way to list an explicit exception to the audit, in case it doesn’t affect me or if I mitigated it without having to upgrade? And on top of that, do devDependencies really need included at the same level as normal dependencies, since they generally only run with highly controlled inputs and outputs?


Bump? (I feel this kind of got missed, and I don’t it to be autoclosed yet.)


Why Audi/ the files are not connected to the package !they are lose. Files ,just run them as a zipt file together then extract in a organized folder , I unloaded a pile of them that had some bugs but they were dormant . just setting. Zip all of them and then extract to a named folder the ones that don’t acquire , repeat .read the code imply fixes with the files that don’t apply from start to bug then from bug to start??? Just. Had to ask.


isiahmeadows

    July 28

Bump? (I feel this kind of got missed, and I don’t it to be autoclosed yet.)


Visit Topic or reply to this email to respond.


Previous Replies

isiahmeadows

    July 26

The general exception list feature request was originally filed here, and the devDependencies exclusion feature request was originally filed here. I haven’t commented in either, but I decided to resurrect them both here.


When I run npm audit, I find that none of the vulnerabilities actually apply to me. They all deal with Karma, and they already know about the issue. My module itself only has 8 runtime dependencies (including indirect), none of which are vulnerable.

How am I supposed to address the npm audit result, since Karma knows about the issue, but it still doesn’t really affect me?

(I’m more likely to download a malicious package than I am to actually get bit by any of these due to Karma.)

Also, while we’re on that subject, shouldn’t there be a way to list an explicit exception to the audit, in case it doesn’t affect me or if I mitigated it without having to upgrade? And on top of that, do devDependencies really need included at the same level as normal dependencies, since they generally only run with highly controlled inputs and outputs?


Visit Topic or reply to this email to respond.

You are receiving this because you enabled mailing list mode.

To unsubscribe from these emails, click here.


https://drive.google.com/file/d/15AWwiUH_7cIZfIAUsqx28DoOMiOd-5lz_A/view?usp=drivesdk


We’re mostly just waiting for an RFC based on this PR do we can have a discussion about it. Once the RFC is filed, this will move forward.

https://github.com/npm/cli/pull/10