[RRFC] npm audit exclusions

[nfriedly]

Motivation ("The Why")

I would like for npm audit to have a way to resolve / acknowledge / ignore / exclude / omit / suppress certain advisories.

I maintain a package that an advisory was recently published for. The typical use is not vulnerable but a less common usage is. At least one of my users has had trouble with upgrading to the fixed version. Their usage not vulnerable and therefore an upgrade is not required. I would like to recommend excluding this advisory, but it doesn't seem possible with npm audit.

In my research, I saw that npm/npm-audit-report#38 was closed with a recommendation to post something here.

Example

nsp's .nsprc file had an exceptions field:

{
  "exceptions": [
    "https://nodesecurity.io/advisories/534"
  ]
}

The .snyk policy file similarly has an Ignore rule:

Ignore:
  snyk-vulnid:
    - path to library using > seperator :
      reason: 'text string'
      expires: 'datetime string'

How

Current Behaviour

The current behavior continues to show users irrelevant issues after they have evaluated the advisory and concluded that it does not apply to their use. This could lead to frustration with the tool as well as actual vulnerabilities being lost in the "noise".

Desired Behaviour

I'd be happy if it worked similarly to nsp, or if it was a field added to the package.json.

Synk's reason, expiration date, and specific library matching may also be desirable, I don't have a strong opinion there.

References

• Duplicates Add ability to ignore specific vulnerability with npm audit npm-audit-report#38
• Duplicates Allow adding npm audit exceptions npm#20565
• Duplicates Add ability to ignore specific vulns with npm audit npm#20764
• Relates to [FEATURE] module creators should be able to whitelist specific npm audit advisories of their dependencies #63
• Relates to Filtering of vulnerabilities npm-audit-report#26
• Relates to https://npm.community/t/how-am-i-supposed-to-address-npm-audit-vulnerabilities-that-dont-apply-to-me/910
• Relates to Add npm audit resolve command cli#10
• Relates to (or is possibly resolved by) npm audit and audit-resolve.json #18 - I didn't find that during my initial search
• Duplicates Add acknowledged issue list to npm audit cli#1494

[nfriedly]

I'm going to close this in favor of #18 - I searched before posting, but didn't use the correct terminology to find that PR. I tried to update this issue to include every term I could think of as well as links to all of the duplicates and relations, so it's hopefully useful to future searchers.

Feel free to re-open if appropriate.