How to submit security vulnerability in my package for npm audit


(Jakub Jankiewicz) #1

I’ve found potential XSS vulnerability in my package and the fix will be in next version (it’s in devel branch), and I want to make it show up when user runs npm audit.

Is there a command similar to deprecate that I can run so my package show error when using audit?


(Adam Baldwin) #2

The best is to hit the “report a vulnerability” button on your packages package page. That will take you to a page like https://www.npmjs.com/advisories/report?package=npm where you can fill in the details about what versions are vulnerable, what the security impact is, how to reproduce the issue, etc.

Once we receive the report the security team will triage it and create an advisory if that’s the right next step.

Thanks for the great question and proactively looking to let us know.


(system) #3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.