npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

How to submit security vulnerability in my package for npm audit

I’ve found potential XSS vulnerability in my package and the fix will be in next version (it’s in devel branch), and I want to make it show up when user runs npm audit.

Is there a command similar to deprecate that I can run so my package show error when using audit?

The best is to hit the “report a vulnerability” button on your packages package page. That will take you to a page like where you can fill in the details about what versions are vulnerable, what the security impact is, how to reproduce the issue, etc.

Once we receive the report the security team will triage it and create an advisory if that’s the right next step.

Thanks for the great question and proactively looking to let us know.