5

My npm audit report shows handsontable as "no fix available".

I am trying to ignore the handsontable package by running npm audit --ignore handsontable or npm audit --ignore=handsontable

It is not ignoring the package.

Is there any flag to ignore certain packages during npm audit and npm audit fix

Tiago Bértolo
  • 3,874
  • 3
  • 35
  • 53
Sagar Sathyanarayanan
  • 55
  • 1
  • 4
  • I wonder, what is the Handsontable version that you are auditing? The versions newer or equal 10.0.0 report 0 vulnerabilities on Snyk: https://snyk.io/vuln/npm:handsontable Also, `npm install handsontable` gives Handsontable 12.0.0, which reports 0 vulnerabilities in npm audit. – warpech Jun 22 '22 at 19:15
  • The idea is to prevent handsontable from upgrading. So if you can give me some idea – Sagar Sathyanarayanan Jun 23 '22 at 00:35

1 Answers1

3

As of today, 21 Sept 2022, npm audit has 2 ways to filter vulnerabilities:

  • audit-level - sets the minimum level of vulnerability for npm audit to exit with a non-zero exit code.
  • omit - selects dependency types (dev/prod) to omit from the installation tree on disk.

You can see more about npm audit flags here.

There is no way to ignore specific vulnerabilities yet. I believe npm will have it soon, the discussion is still ongoing.

I recommend you to use the npm package better-npm-audit. Link here.

You can create a file .nsprc and ignore vulnerabilities by ID, CWE ID or GHSA ID as shown below:

{
  "1337": {
    "active": true,
    "notes": "Ignored since we don't use xxx method",
    "expiry": 1615462134681
  },
  "4501": {
    "active": false,
    "notes": "Ignored since we don't use xxx method"
  },
  "CWE-471": "CWE ID is acceptable",
  "GHSA-ww39-953v-wcq6": "GHSA ID is acceptable",
  "https://npmjs.com/advisories/1213": "Full or partial URL is acceptable too"
}
Tiago Bértolo
  • 3,874
  • 3
  • 35
  • 53