npm audit marks any prerelease as patched

What I Wanted to Do

Install a prerelease of a package with an unpatched vulnerability, and still get the audit warning and/or have it be reported at all.

What Happened Instead

All prereleases, of any package AFAICT, is marked as “patched” on the registry. I couldn’t find any documentation that this is intended, so I assume it’s not.

Reproduction Steps

For example

$ npm install bootstrap-vue
+ bootstrap-vue@2.0.0-rc.11
added 52 packages from 35 contributors and audited 67 packages in 3.775s
found 0 vulnerabilities

$ npm audit

                       === npm audit security report ===                        
                                                                                
found 0 vulnerabilities
 in 67 scanned packages

While the advisory says:

Remediation

No fix is currently available. Consider using an alternative module until a fix is made available.

(BTW, the markdown for the GitHub link in this specific report is broken)

In fact, every advisory I’ve looked at has all its prereleases in the “patched” section of its version tab.

Platform Info

$ npm --versions
{ a: '1.0.0',
  npm: '6.5.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.14.2',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.45',
  zlib: '1.2.11' }
$ node -p process.platform
linux

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.