npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm i npm@6.2.0 (latest) shows security noise

What I Wanted to Do

npm i npm@latest should run without security noise

What Happened Instead

npm i npm@latest or npm i npm@6.2.0 shows the following security noise:

found 20 moderate severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

I completely understand that this is a known issue with a partial solution proposed in npm/cli#20 which is waiting for a solution on node-gyp, reporting here for tracking and discussion purposes.

Note that I am reporting this a “security noise” issue issue since I have read confirmation from both CLI PR #20 and that this is not a real security vulnerability.

Reproduction Steps


Details shown for my Windows 10 system, same issue on my mac OS system.

Platform Info

$ npm --versions
{ npm: '6.2.0',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.7.0',
  openssl: '1.1.0h',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

tl;dr this isn’t a problem, and is only mildly irritating, but poses no risk whatsoever to our users.

This is intentional. For the time being, we’re unable to upgrade beyond request@2.81.0 because node-gyp@3.7.0 pins it to that version. Until node-gyp itself updates request, it’ll continue to be in our tree, and/or cause a bunch of deduplication.

The audit is entirely related to a single advisory, and Hoek.merge is not used anywhere in the npm source or its dependencies, therefore we are not affected by it. You can safely ignore npm-related audit results for Hoek, and they’ll just be a mild annoyance until upgrades can be made.

See also:

FYI the needed fix in node-gyp should be coming soon ref:

Nice! Thanks for updating us :tada:

Still waiting for merge and publish of nodejs/node-gyp#1502. Adding a reminder that the following dependencies should also be updated upon merge and publish of nodejs/node-gyp#1502:

node-gyp@3.8.0 should solve this now ref: nodejs/node-gyp#1521

(see contribution in npm/cli#44)

This is fixed with Release: npm@6.4.0-next.0. Thanks for letting me know!