1

npm audit is part of my Bitbucket pipeline. I use quill which introduces an XSS vulnerability. It was shipped via cdn, but now my app serves this dependency itself. npm audit now fails because of the XSS.

I am not sure yet if this vulnerability is even relevant to my use case. But I would like to be able to suppress a vulnerability in npm audit. I tried better-npm-audit, but it doesn`t seem to be able to generate json output needed for the pipeline.

I am confused because it feels like an obvious thing to suppress false positives. But googling around (and also asking chatgpt for help) didn't help.

So: is it possible to suppress false positives in npm audit?

samjaf
  • 1,033
  • 1
  • 9
  • 19
  • I am struggling with the exact same thing. We are currently experiencing a dev dependency that has a security vulnerability, this isn't fixable and naturally it is not that important since it is a dev dependency. Keen to see if you figure it out! – Fluous May 16 '23 at 11:51

0 Answers0