New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket

better-npm-audit

Package Overview
Dependencies
Maintainers
1
Versions
70
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

better-npm-audit

Made to allow skipping certain vulnerabilities, and any extra handling that are not supported by the default npm audit in the future.

  • 1.11.1
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
91K
increased by6.15%
Maintainers
1
Weekly downloads
 
Created
Source

Better NPM Audit

Made to allow skipping certain vulnerabilities, and any extra handling that are not supported by the default npm audit in the future.

NPM

PRs Welcome GitHub issues npm bundle size

Supports both NPM version 6 and 7

NPM has upgraded to version 7 in late 2020 and has breaking changes on the npm audit. The output of npm audit has significantly changed both in the human-readable and --json output styles. We have added handling so it works properly in both npm versions.

DocsLink
NPM v6 & v7 changeshttps://github.blog/2020-10-13-presenting-v7-0-0-of-the-npm-cli/
NPM v7 blog posthttps://blog.npmjs.org/post/626173315965468672/npm-v7-series-beta-release-and-semver-major
Official NPM v6 audit docshttps://docs.npmjs.com/cli/v6/commands/npm-audit
Official NPM v7 audit docshttps://docs.npmjs.com/cli/v7/commands/npm-audit
Dealing with new npm audithttps://uko.codes/dealing-with-npm-v7-audit-changes

Installation

$ npm install better-npm-audit

or

$ npm install -g better-npm-audit

Usage

package.json

{
  "scripts": {
    "prepush": "npm run test && npm run audit",
    "audit": "node node_modules/better-npm-audit audit"
  }
}

Run global

better-npm-audit audit

Options

FlagShortDescription
--level-lSame as the original --audit-level flag
--production-pSkip checking devDependencies
--ignore-iFor skipping certain advisories
--full-fDisplay full audit report. There is a character limit set to the audit report to prevent overwhelming details to the console.
--display-notes-dDisplay the reasons of matched exceptions from .nsprc file.

Environment Variables

VariableDescription
process.env.NPM_CONFIG_AUDIT_LEVELUsed in setting the audit level.
Note: this will be disregard if the audit level flag is passed onto the command.

Using .nsprc file to manage exceptions

You may add a file .nsprc to your project root directory to manage the exceptions. For example:

{
  "1337": {
    "ignore": true,
    "reason": "Ignored since we don't use xxx method",
    "expiry": 1615462134681
  },
  "4501": {
    "ignore": false,
    "reason": "Ignored since we don't use xxx method"
  },
  "980": "Ignored since we don't use xxx method",
  "Note": "Any non number key will be ignored"
}

Examples

NPM v6

Running node node_modules/better-npm-audit audit with vulnerabilities, will receive the error:

2 vulnerabilities found. Node security advisories: 118,577

Added the ignore flags node node_modules/better-npm-audit audit -i 118,577 and rerun:

Executing script: audit

to be executed: "node node_modules/better-npm-audit audit -i 118,577"
Exception Vulnerabilities IDs:  [ '118', '577' ]
=== npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   semantic-ui

  Path            semantic-ui > gulp > vinyl-fs > glob-stream > glob >
                  minimatch

  More info       https://nodesecurity.io/advisories/118


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   semantic-ui

  Path            semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
                  globule > minimatch

  More info       https://nodesecurity.io/advisories/118


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   semantic-ui

  Path            semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
                  globule > lodash

  More info       https://nodesecurity.io/advisories/577

found 5 vulnerabilities (1 low, 4 high) in 30441 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

🤝  All good

NPM v7

# npm audit report

bl  <=1.2.2 || 2.0.1 - 2.2.0 || 3.0.0 || 4.0.0 - 4.0.2
Severity: high
Remote Memory Exposure - https://npmjs.com/advisories/1555
fix available via `npm audit fix`
node_modules/bl

dot-prop  <4.2.1 || >=5.0.0 <5.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1213
fix available via `npm audit fix`
node_modules/dot-prop

mem  <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix`
node_modules/loopback-connector-rest/node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/loopback-connector-rest/node_modules/os-locale
    strong-globalize  2.8.4 || 2.10.0 - 4.1.1
    Depends on vulnerable versions of os-locale
    node_modules/loopback-connector-rest/node_modules/strong-globalize

swagger-ui  <=3.20.8
Severity: moderate
Reverse Tabnapping - https://npmjs.com/advisories/975
Cross-Site Scripting - https://npmjs.com/advisories/976
Cross-Site Scripting - https://npmjs.com/advisories/985
fix available via `npm audit fix --force`
Will install loopback-component-explorer@2.7.0, which is a breaking change
node_modules/swagger-ui
  loopback-component-explorer  >=3.0.0
  Depends on vulnerable versions of swagger-ui
  node_modules/loopback-component-explorer

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix`
node_modules/mocha/node_modules/yargs-parser
node_modules/yargs-unparser/node_modules/yargs-parser
  mocha  1.21.5 - 6.2.2 || 7.0.0-esm1 - 7.1.0
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of yargs-parser
  Depends on vulnerable versions of yargs-unparser
  node_modules/mocha
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs-unparser/node_modules/yargs
    yargs-unparser  1.1.0 - 1.5.0
    Depends on vulnerable versions of yargs
    node_modules/yargs-unparser

18 vulnerabilities (14 low, 2 moderate, 2 high)

Special mentions

  • @IanWright for his solutions in improving the vulnerability validation for us to have the minimum-audit-level and production-mode flags.

  • @EdwinTaylor for all the bug reports and improvement suggestions.



If you like this project,

Buy Me A Coffee

Keywords

FAQs

Package last updated on 11 Jun 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc