Product
Socket Now Supports uv.lock Files
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
better-npm-audit
Advanced tools
Made to allow skipping certain vulnerabilities, and any extra handling that are not supported by the default npm audit in the future.
Made to allow skipping certain vulnerabilities, and any extra handling that are not supported by the default npm audit
in the future.
NPM has upgraded to version 7 in late 2020 and has breaking changes on the npm audit
. The output of npm audit has significantly changed both in the human-readable and --json
output styles. We have added handling so it works properly in both npm versions.
Docs | Link |
---|---|
NPM v6 & v7 changes | https://github.blog/2020-10-13-presenting-v7-0-0-of-the-npm-cli/ |
NPM v7 blog post | https://blog.npmjs.org/post/626173315965468672/npm-v7-series-beta-release-and-semver-major |
Official NPM v6 audit docs | https://docs.npmjs.com/cli/v6/commands/npm-audit |
Official NPM v7 audit docs | https://docs.npmjs.com/cli/v7/commands/npm-audit |
Dealing with new npm audit | https://uko.codes/dealing-with-npm-v7-audit-changes |
$ npm install better-npm-audit
or
$ npm install -g better-npm-audit
package.json
{
"scripts": {
"prepush": "npm run test && npm run audit",
"audit": "node node_modules/better-npm-audit audit"
}
}
better-npm-audit audit
.nsprc
file to manage exceptionsYou may add a file .nsprc
to your project root directory to manage the exceptions. For example:
{
"1337": {
"ignore": true,
"reason": "Ignored since we don't use xxx method",
"expiry": 1615462134681
},
"4501": {
"ignore": false,
"reason": "Ignored since we don't use xxx method"
},
"980": "Ignored since we don't use xxx method",
"Note": "Any non number key will be ignored"
}
Flag | Short | Description |
---|---|---|
--level | -l | Same as the original --audit-level flag |
--production | -p | Skip checking devDependencies |
--ignore | -i | For skipping certain advisories |
--full | -f | Display full audit report. There is a character limit set to the audit report to prevent overwhelming details to the console. |
NPM v6
Running node node_modules/better-npm-audit audit
with vulnerabilities, will receive the error:
2 vulnerabilities found. Node security advisories: 118,577
Added the ignore flags node node_modules/better-npm-audit audit -i 118,577
and rerun:
Executing script: audit
to be executed: "node node_modules/better-npm-audit audit -i 118,577"
Exception Vulnerabilities IDs: [ '118', '577' ]
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of semantic-ui
Path semantic-ui > gulp > vinyl-fs > glob-stream > glob >
minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of semantic-ui
Path semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
globule > minimatch
More info https://nodesecurity.io/advisories/118
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of semantic-ui
Path semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
globule > lodash
More info https://nodesecurity.io/advisories/577
found 5 vulnerabilities (1 low, 4 high) in 30441 scanned packages
5 vulnerabilities require manual review. See the full report for details.
🤝 All good
NPM v7
# npm audit report
bl <=1.2.2 || 2.0.1 - 2.2.0 || 3.0.0 || 4.0.0 - 4.0.2
Severity: high
Remote Memory Exposure - https://npmjs.com/advisories/1555
fix available via `npm audit fix`
node_modules/bl
dot-prop <4.2.1 || >=5.0.0 <5.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1213
fix available via `npm audit fix`
node_modules/dot-prop
mem <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix`
node_modules/loopback-connector-rest/node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/loopback-connector-rest/node_modules/os-locale
strong-globalize 2.8.4 || 2.10.0 - 4.1.1
Depends on vulnerable versions of os-locale
node_modules/loopback-connector-rest/node_modules/strong-globalize
swagger-ui <=3.20.8
Severity: moderate
Reverse Tabnapping - https://npmjs.com/advisories/975
Cross-Site Scripting - https://npmjs.com/advisories/976
Cross-Site Scripting - https://npmjs.com/advisories/985
fix available via `npm audit fix --force`
Will install loopback-component-explorer@2.7.0, which is a breaking change
node_modules/swagger-ui
loopback-component-explorer >=3.0.0
Depends on vulnerable versions of swagger-ui
node_modules/loopback-component-explorer
yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix`
node_modules/mocha/node_modules/yargs-parser
node_modules/yargs-unparser/node_modules/yargs-parser
mocha 1.21.5 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of yargs-parser
Depends on vulnerable versions of yargs-unparser
node_modules/mocha
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of yargs-parser
node_modules/yargs-unparser/node_modules/yargs
yargs-unparser 1.1.0 - 1.5.0
Depends on vulnerable versions of yargs
node_modules/yargs-unparser
18 vulnerabilities (14 low, 2 moderate, 2 high)
@IanWright for his solutions in improving the vulnerability validation for us to have the minimum-audit-level and production-mode flags.
@EdwinTaylor for all the bug reports and improvement suggestions.
If you like this project,
FAQs
Reshape into a better npm audit for the community and encourage more people to include security audit into their process.
The npm package better-npm-audit receives a total of 41,635 weekly downloads. As such, better-npm-audit popularity was classified as popular.
We found that better-npm-audit demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.
Security News
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.