[BUG] npm audit does not show the package from package.json that depends on the vulnerable package
dandv opened this issue · comments
Dan Dascalescu commented
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
npm audit
does not output which of the packages from the package.json
dependencies
depends on the detected vulnerable package(s).
Expected Behavior
npm should tell me which of the packages I'm using depend(s) on the vulnerable package(s), so that I can update or replace it/them.
Steps To Reproduce
git clone https://github.com/dandv/npm-audit-bug.git && cd npm-audit-bug
npm install
npm audit
- Notice the output doesn't mention which of the user's packages from
package.json
depends on the vulnerable package.
Environment
- npm: 10.6.0
- Node.js: 18.19.0
- OS Name: Fedora Linux 38
- npm config:
; "global" config from /etc/npmrc
; prefix = "/usr/local" ; overridden by user
python = "/usr/bin/python3"
; "user" config from /home/dandv/.npmrc
prefix = "/home/dandv/.local"
; node bin location = /usr/bin/node-18
; node version = v18.19.0
; npm local prefix = /home/dandv/prg/npm-audit-bug
; npm version = 10.6.0
; cwd = /home/dandv/prg/npm-audit-bug
; HOME = /home/dandv
; Run `npm config ls -l` to show all defaults.
Leo Balter commented
Thanks for the report! Improvements to the audit experience are under consideration but we don't have a timeline to share at the moment.