8

in my npm audit output I saw the following entry with a hash:

├───────────────┼─────────────────────────────────────────┤
│ Path          │ 050fb87979f5c6895917ef26a696d57ebf3cf1… │
│               │ > mocha > growl                         │
├───────────────┼─────────────────────────────────────────┤

May I know what the hash stands for and where can I find the dependency tree node it represents? I searched online and searched through my package-lock.json file but couldn't find it.

Thanks!

Justin Zhang
  • 183
  • 8

2 Answers2

8

Somehow I was able to figure it out not long after posting it, by using npm ls growl. It shows that the hash represents an internal package. (The confusing part is that some internal packages were displayed by package name in npm audit output while some were displayed as hashes. | Update: it turns out that we are importing some package by their git commit directly, in those case those dependencies are displayed as hashes.)

Justin Zhang
  • 183
  • 8
  • 1
    This is related to issue at https://github.com/npm/npm/issues/20739 - I don't know how `npm audit` calculates that hash as it is not the same as the actual hash of the commit used and it makes it hard to audit code without a lot of manual `npm ls ` commands – rsp Feb 27 '19 at 00:20
  • Is it possible for an MVCE? – deostroll Jan 22 '20 at 10:25
0

I just ran into the same issue. The issue is to obscure the package name for security reasons. After looking into the npm docs this has been resolved in Version 7. I just ran npm audit using npm 7+ and it has pointed to the exact packages that are the culprit with no hash.

yerabashtard
  • 56
  • 1
  • 5