npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

SHA-like entries in npm audit

What I Wanted to Do

Get an audit of security vulnerabilities on a project with private dependencies.

What Happened Instead

I got an audit, but it had some inscrutable entries.

Reproduction Steps

run npm audit

Details

Most entries look something like this:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ stringstream                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass > request > stringstream                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/664                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

That makes sense. I can resolve the issue by upgrading node-sass.

But some of the entries look like this:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ sshpk                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 14ee9bf02ba6a21e98b440a720ffea72f6db1764f057368316856069751… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ 14ee9bf02ba6a21e98b440a720ffea72f6db1764f057368316856069751… │
│               │ > broccoli-sass > node-sass > node-gyp > request >           │
│               │ http-signature > sshpk                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/606                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I definitely don’t have a package named 14ee9bf02ba6a21e98b440a720ffea72f6db1764f057368316856069751. My guess is that it’s npm’s representation of a private namespaced package, but I’m not sure. I don’t know what in my dependency chain needs to change.

Platform Info

$ npm --versions
{ my_app: '0.0.0',
  npm: '6.0.1',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.11.1',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.50',
  zlib: '1.2.11' }

$ node -p process.platform
darwin


Yes, you’re exactly correct. Translating these back into package names is reasonably high on our todo list.

In the meantime you can run npm ls sshpk to figure out how that’s required. Mmm, actually it may be more effective to run npm ls broccoli-sass as it’s the thing directly required by your private dep.


Great suggestion. Thanks!