npm audit doesn't use the audit-level for the exit code

cli
security
help-wanted
priority:medium
triaged

(Ekelvin) #1

What I Wanted to Do

I wanted to use npm audit with a audit-level to high
so:
npm set audit-level high
npm config set audit-level high
npm audit
found 3 vulnerabilities (2 low, 1 moderate) in 44944 scanned packages
3 vulnerabilities require manual review. See the full report for details.
exit code 0

What Happened Instead

found 3 vulnerabilities (2 low, 1 moderate) in 44944 scanned packages
3 vulnerabilities require manual review. See the full report for details.
ERROR: Job failed: exit code 1

Reproduction Steps

  1. have a dependency of Moderate level and none: high or critical
  2. set audit-level to high
  3. command exit with non zero code

Details

Platform Info

$ npm --versions
{ 'ecommerce.web': '0.19.0',
  npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform
win32

(Lars Willighagen) #2

Do you have a set of dependencies to trigger this? I can’t seem to reproduce it myself at the moment.


(Ekelvin) #3

Its enough to get latest version of webpack-spritesmith.

It contains a Moderate vulnerability


(Lars Willighagen) #4

Weird, I’m still not seeing it… The source code seems to respect the audit-level setting, can you confirm npm is recognizing the config correctly by running

npm config get audit-level

in your project directory? Otherwise, I really have no idea…


(Ekelvin) #5


as you can see it exits with code 1 rather than 0


(Ekelvin) #6

maybe is using the default audit-level rather than just audit-level in code


(Ekelvin) #7

Can anyone help with this?
It doesn’t work even if you put the audit-level as an option to the audit command