2

Npm audit returns output with some valid warnings, but also with weird dependencies that look like random hexadecimal strings. That string changes every time when I run npm audit and is identical for all packages, referenced in audit.

How can I get rid of that? Npm version is 6.8.0

High            Cross-Site Scripting (XSS)
Package         jquery
Patched in      >=3.0.0
Dependency of   28941ae593a0bfccfbff69e6c9be45d3edb864692c815174fff557331de…
Path            28941ae593a0bfccfbff69e6c9be45d3edb864692c815174fff557331de…
                >
                39e4d897653a99aeb635bac80469694d1066d648e1fc9d3ac63ded7789c…
                > jquery

More info       https://npmjs.com/advisories/328


Moderate        Prototype Pollution
Package         lodash
Patched in      >=4.17.11
Dependency of   browserify-resolutions [dev]
Path            browserify-resolutions > lodash

More info       https://npmjs.com/advisories/782

Moderate        Prototype Pollution
Package         lodash
Patched in      >=4.17.11
Dependency of   28941ae593a0bfccfbff69e6c9be45d3edb864692c815174fff557331de…
Path            28941ae593a0bfccfbff69e6c9be45d3edb864692c815174fff557331de…
                > lodash

More info       https://npmjs.com/advisories/782
dlxeon
  • 1,932
  • 1
  • 11
  • 14
  • Can you lookup those strings in the lockfile (package-lock.json or yarn.lock)? They look like hashes to me. – Marouane Fazouane Feb 20 '19 at 08:56
  • @MarouaneFazouane we do not use lock files and explicitly set that in .npmrc with `package-lock=false`. Those are random with every `npm audit` call and not present in any file in my working folder (including node_modules) – dlxeon Feb 20 '19 at 09:04
  • 1
    Related issue [#1641](https://npm.community/t/sha-like-entries-in-npm-audit/1641) – RobC Feb 20 '19 at 13:11
  • Thank you, @RobC – dlxeon Feb 20 '19 at 13:43

1 Answers1

2

I just ran into the same issue. After looking into the npm docs this has been resolved in Version 7. I just ran npm audit using npm 7+ and it has pointed to the exact packages that are the culprit with no hash.

yerabashtard
  • 56
  • 1
  • 5