Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with audit fix in npm v5 style lockfile #1620

Closed
isaacs opened this issue Aug 5, 2020 · 1 comment
Closed

Issues with audit fix in npm v5 style lockfile #1620

isaacs opened this issue Aug 5, 2020 · 1 comment

Comments

@isaacs
Copy link
Contributor

isaacs commented Aug 5, 2020

The lockfile created by npm 5 puts the current version of dependencies into the requires set, rather than the intended dependency range. As a result, packages seem like they're vulnerable because they appear to be pinned to a vulnerable dep. However, when we get the packuments in the audit process, we see that they're not actually vulnerable, so it looks like npm audit fix will fix the problem. But then, when we run npm audit fix, we get an idealTree out of the package-lock.json that has the deps pinned again!

One solution might be to have audit correct the idealTree and refresh the lockfile metadata, so that the subsequent reify() call for audit({fix:true}) has the updated dependency ranges.
@isaacs
Copy link
Contributor Author

isaacs commented Aug 23, 2020

This should be fixed in the latest beta.

@isaacs isaacs closed this as completed Aug 23, 2020
@snyk-io snyk-io bot mentioned this issue Oct 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@isaacs