The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
npm audit does not report vulnerability on email@example.com
What I Wanted to Do
Had firstname.lastname@example.org as a dependency in my package-lock.json. It was installed prior to the takeover and removal from npmjs, so it was in my cache.
I would have expected the vulnerability to be displayed when running npm audit
What Happened Instead
When running npm audit, no vulnerability showed up.
Hard to do. You need a vulnerable package that has been removed from npmjs, but still in your cache.
This bug has been reported in the yarn issue tracker too: https://github.com/yarnpkg/yarn/issues/6729
An additional point: shouldn’t, in a case like this, a new version be published, in addition to the removal of the offending release. Some of my dependencies depend on event-stream@~3.0.0. If a 3.3.7 was released in addition to the removal in 3.3.6, the package would have upgraded itself by just deleting the package-lock and doing a new npm install, instead of having to clean the cache
email@example.com as a (pinned) dependency? If yes, then
npm audit should report
event-stream itself was not infected, and it contained nothing harmful.
It did not, so I guess I did not have the malicious version installed?
event-stream is not in the advisories list indeed, just
flatmap-stream, but in both the description of the flatmap advisory and the report the npm blog (and other sources),
firstname.lastname@example.org is described as malicious, so I would have expected it to be reported as such.