[Suggestion] Add path to modules with reported vulnerability in the new UI

[s0rthak]

Hi!

First of all, the new interface to the tool is great. It's so much more cleaner to go through now.

Would it be possible to show the path to the module with the reported vulnerability in the new UI?

Here's a example output:

(I'm using npm v6 with node 14 right now)

This is from a frontend repo and all the dependencies mentioned here are nested dependencies of react-scripts

The tar module for example is used here react-scripts > terser-webpack-plugin > cacache > tar

Being able to see the module path would make it easier to figure out if we need to prioritize fixing this or ignoring it if it doesn't fit our use-case.

Right now, I have to run npm audit again after looking at the UI.

Also, I understand that a package may have more than one path, particularly when there are vulnerabilities in packages used by a lot of other packages. Maybe it can be present in the following manner:

react-scripts > terser-webpack-plugin > cacache > tar
react-scripts > some_other_path > tar
and 4 others

I'll be happy to contribute to an MR for this as well if it's possible with npm.
Please let me know, thanks!

[jeemok]

hey @s0rthak, sorry for the late response. Yes, its definitely possible with npm v6 👍🏻 there is a sample mock of v6 audit response here https://github.com/jeemok/better-npm-audit/blob/master/test/__mocks__/v6-json-buffer.json you can refer to. However, this paths value might not be available or the same with npm v7 audit report (I found nodes but I think it is a different thing), but I think it is okay to have different output UI here depending on the npm versions to give the user the best informative report.

I can work on it over this weekend, or happy to review one if you can submit one MR too!

PS: I'll move this issue over to Discussion tab

[s0rthak]

I'd love to try it over the weekend!

[jeemok]

hey @s0rthak, I've published the latest version v3.2.1 , please try it out and let me know if there is an issue. The report should look like this now:

[s0rthak]

Thank you so much!
Looking at the screenshot I'm wondering if you'd like to take out the node_modules part from the paths?
nodule_modules/swagger_ui can just be swagger_ui. node_modules/fsevents/node_modules/tar can just be fsevents/tar

What do you think?

[jeemok]

yeah, that sounds like a good idea! we can save more spaces by condensing the information 👍🏻

NPM v6 should already be doing that, you should see for example nodemon>chokidar>fsevents>node-pre-gyp>rc>ini in the table. The screenshot I provided was using NPM v7, and I think we could definitely transform the string to achieve that. I'll publish a new minor version soon

[jeemok]

published v3.3.0!