2

I have a CI service that runs npm audit on every build and notifies if there are high-risk vulnerabilities. The strange thing is when CI reports high vulnerabilities when I run npm audit locally, it says found 0 vulnerabilities. It will find the issue in a few days...

For example, the CI reports about: CVE-2020-7774: The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

But on local dev env:
no issues

Both CI and local use Node 15.12.0 and npm 7.6.3.

Why is npm audit not finding the latest issues? Is there any way to force update it or something?

npm --verbose audit output:

enter image description here

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
nrofis
  • 8,975
  • 14
  • 58
  • 113
  • You can run `npm --verbose audit` to see the request that gets made - is there anything between you and the registry that might be caching that? – jonrsharpe Apr 19 '21 at 12:59
  • The request looks normal to me. I don't have something that would cache that... Added the verbose output to the question – nrofis Apr 19 '21 at 13:19
  • You could try e.g. `curl -vd "$(cat package-lock.json)" https://registry.npmjs.org/-/npm/v1/security/audits` to see if there's anything suspicious in there. – jonrsharpe Apr 19 '21 at 13:22
  • Thanks for the comment! Actually it also says no vulnerabilities... I'm not sure why the CI sees different issues... – nrofis Apr 19 '21 at 13:27
  • The local code is the same as the code in the CI, of course... – nrofis Apr 19 '21 at 13:31
  • We have a similar issue where CI reports medium risk CVEs but `npm audit --audit-level=moderate` does not. Is there a way to get npm audit to display all CVEs? – Marc Jan 10 '23 at 11:18

0 Answers0