.npmrc removes vulnerable packages statement during npm install

Question

If I remove the .npmrc file and do "npm install", it shows me the found vulnerabilities.

When I include my .npmrc file has only the registry url and do "npm install", i can't see the vulnerable packages. Maybe I am missing any config in the file that has to be there. I tried several configs yet cannot see the vulnerable packages.

Without .npmrc file: -

With .npmrc file: -

My .npmrc file which I added is only one liner: -

registry = <my_registry_url>

I'd like to know what am I missing.

Please don't post screenshots of text – just post the text. — AKX, Sep 13 '22 at 12:48

score 4 · Accepted Answer · answered Sep 13 '22 at 12:47

4

The other registry doesn't support the audit endpoint, so npm doesn't know how to ask it to audit your package selection.

If you say npm i --verbose ..., you'll notice it doing

npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 234ms
npm timing auditReport:getReport Completed in 236ms

answered Sep 13 '22 at 12:47

AKX

152,115
15
115
172

In my case, | npm http fetch POST 404 /security/audits/quick | npm timing npm Completed in 17483ms – d1fficult Sep 13 '22 at 13:03
@AbhijeetRaj Yep, there you go: your registry doesn't support the audit URL (it returns 404), so npm doesn't audit anything. – AKX Sep 13 '22 at 13:10
Makes sense, if this audit URL would have been working, then I would have been able to see fetched vulnerabilities. One more thing (might sound silly to you), if this registry doesn't support audit URL, does it means that it won't be having any vulnerabilities? – d1fficult Sep 13 '22 at 13:15
No, of course it doesn't mean that. The packages in that registry can have all the vulnerabilities in the world and then some. – AKX Sep 13 '22 at 13:17

.npmrc removes vulnerable packages statement during npm install

1 Answers1