npm audit with verdaccio registry shows different vulnerabilities in compare with registry.npmjs.org #2437

Inzeppelin · 2021-09-15T10:59:37Z

Inzeppelin
Sep 15, 2021

Running npm audit with verdaccio registry shows 644 vulnerabilities. Running the same command with default registry (registry.npmjs.org) and the same package.json shows only 26. Every run we remove node_modules, package-lock and clean npm cache.

Looks like it affects particular @VUE dependencies. But not sure if this was important.

We can't figure out the reason of this behaviour. Probably this is kind of caching issue.

Env:

verdaccio version: 5.1.2
node version 12.x.x
package manager: npm@6
os: mac
platform: npm

Verdaccio config has audit option

middlewares:
  audit:
    enabled: true

Could you please help with debugging that?

Answered by juanpicado

Sep 15, 2021

hi @Inzeppelin
could you share (so I can check locally)

small repo with a lock file?

Audit is not cached, just pass through https://github.com/verdaccio/monorepo/blob/9.x/plugins/audit/src/audit.ts#L52 , there is no easier way to debug but you could just add a console.log in that line and see what you get from npmjs.

Furthermore, npm audit was updated in v5.1.4, so please give a try to the latest.

View full answer

juanpicado · 2021-09-15T19:54:58Z

juanpicado
Sep 15, 2021
Maintainer

hi @Inzeppelin
could you share (so I can check locally)

small repo with a lock file?

Audit is not cached, just pass through https://github.com/verdaccio/monorepo/blob/9.x/plugins/audit/src/audit.ts#L52 , there is no easier way to debug but you could just add a console.log in that line and see what you get from npmjs.

Furthermore, npm audit was updated in v5.1.4, so please give a try to the latest.

1 reply

Inzeppelin Sep 27, 2021
Author

Thanks for your answer!

We did update to latest verdaccio version, but it didn't help.

The actual reason was quite simple, but not very obvious. We noticed, that most of those vulnerabilities were related to @vue/cli-plugin-unit-jest package. And full path in audit log was like @vue/cli-plugin-unit-jest > jest > jest-cli > @jest/core > jest-runtime > jest-haste-map > fsevents, so it points to fsevents as a dependancy.

jest-haste-map wants at least [email protected], but on verdaccio side we cached 1.2.12 in storage folder, so it matches the required version and was downloaded from cache. At the same time this particular version of fsevents brings around 500 vulnerabilities. Next their patch is totally fine.

So finally we've just removed fsevents folder from verdaccio storage and cahced 1.2.13 version on next npm install.

Probably there should be some method to update verdaccio cache storage folder during npm audit fix.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verdaccio

npm audit with verdaccio registry shows different vulnerabilities in compare with registry.npmjs.org #2437

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Verdaccio

npm audit with verdaccio registry shows different vulnerabilities in compare with registry.npmjs.org #2437

Uh oh!

Inzeppelin Sep 15, 2021

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

juanpicado Sep 15, 2021 Maintainer

Uh oh!

Uh oh!

Inzeppelin Sep 27, 2021 Author

Inzeppelin
Sep 15, 2021

Replies: 1 comment 1 reply

juanpicado
Sep 15, 2021
Maintainer

Inzeppelin Sep 27, 2021
Author