npm audit false negative #3605
Description
Imagine in my package-lock I have a transitive dependency v1 which has vulnerability fixed in v3. If go to the package-lock and change version of the dependency to v2, which still has the vulnerability, npm audit will not raise a warning about it.
I faced that in one of my projects and managed to isolate this to the following steps:
- Create an empty project
- Install
[email protected] - npm audit shows a warning about
[email protected]. The problem within the package is fixed in versions 3.0.1 and 4.0.1 - Now we want to resolve it to the version 2 with npm-force-resolutions https://github.com/rogeriochaves/npm-force-resolutions
4.1. Install the package
4.2. to your package.json add"resolutions": {"trim-newlines": "^2.0.0"}
4.3 run./node_modules/.bin/npm-force-resolutions
4.4 (seems doesn't affect it - we can runnpm ci) - Now run
npm auditagain and it finds 0 vulnerabilities. Despite both in node_modules and in package-lock we have vulnerable version
npm init --yes
npm i [email protected] npm-force-resolutions
see the warning about vulnerabilities
add "resolutions": {"trim-newlines": "^2.0.0"} to your package.json
./node_modules/.bin/npm-force-resolutions
npm ci
npm audit
see no warning here
I did it with [email protected] and similar thing happened with [email protected]
I don't really understand if it is the problem with npm-force-resolutions or with npm itself. I also opened a ticket there rogeriochaves/npm-force-resolutions#40