npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit marks any prerelease as patched

What I Wanted to Do

Install a prerelease of a package with an unpatched vulnerability, and still get the audit warning and/or have it be reported at all.

What Happened Instead

All prereleases, of any package AFAICT, is marked as “patched” on the registry. I couldn’t find any documentation that this is intended, so I assume it’s not.

Reproduction Steps

For example

$ npm install bootstrap-vue
+ bootstrap-vue@2.0.0-rc.11
added 52 packages from 35 contributors and audited 67 packages in 3.775s
found 0 vulnerabilities

$ npm audit

                       === npm audit security report ===                        
found 0 vulnerabilities
 in 67 scanned packages

While the advisory says:


No fix is currently available. Consider using an alternative module until a fix is made available.

(BTW, the markdown for the GitHub link in this specific report is broken)

In fact, every advisory I’ve looked at has all its prereleases in the “patched” section of its version tab.

Platform Info

$ npm --versions
{ a: '1.0.0',
  npm: '6.5.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.14.2',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform