[BUG] npm audit not finding vulnerabilities

[hrazmsft]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I have CI pipeline that checks regularly for security issues in the npm packages. For example, it reports about https://www.npmjs.com/advisories/1745.

I do have the infected package in my local machine:

Although in the local machine it doesn't see any high severity vulnerabilities:

And not finding the 1745 issue at all...

Expected Behavior

All security issues (especially high severity vulnerabilities) should appear immediately!

Steps To Reproduce

1. Create a CRA new project
2. Run npm audit
3. You will not see this high severity vulnerability

Environment

• OS: Windows 10
• Node: 15.12.0
• npm: 7.10.0

[nlf]

are you still seeing this issue? can you try updating npm with npm i -g npm and see if that helps?

i just tested by installing [email protected] (the top level package in your screenshot), then modifying the package-lock.json so that it fetches [email protected] (again, copying versions from your screenshot) and ran npm ci

my npm ls dns-packet output looks identical to your screenshot, and npm audit does report the finding for advisory 1745 correctly. let us know if updating helps!

[hrazmsft]

@nlf thanks for the response. My issue is not specific on issue 1745 but more general than this. I always have sync issues between my local builds and CI. Every time one sees an issue several days before the other one. In this case, the CI reported 1745 but for several days my local machine didn't report it. Now, after a week, my local npm finds 1745.

But there are some cases that my local machine finds issues before our CI - in general, different machines see different audits. It takes several days until both machines report the same issues.

Do you use some cache or something? How can I see immediately same results in different machines without waiting few days until they sync?

[ruyadorno]

@hrazmsft yes, audit does in fact has a cache layer in order to improve performance to what otherwise can be a very costly operation. You can dig more into the internals of the @npmcli/metavuln-calculator package, ref: https://github.com/npm/metavuln-calculator to learn a bit more of how it works, also worth taking a look at arborist.audit(): https://github.com/npm/cli/blob/2db3eff44d7bb86b956207cc63d279806fd14ed0/workspaces/arborist/lib/audit-report.js

I'm going to leave this issue open as it does seem to warrant a little more digging from our part. Would appreciate any extra info that can be provided, is it still happening with current versions of the npm cli ([email protected] at the time of writing)?

[rhalaly]

@ruyadorno thank you! Is there any way to skip the cache locally? For example if the CI finds a vulnerability I want to see and fix it with npm audit fix