[BUG] npm audit does not show the package from package.json that depends on the vulnerable package

Question

[BUG] npm audit does not show the package from package.json that depends on the vulnerable package

dandv opened this issue a month ago · comments

Dan Dascalescu commented a month ago

Is there an existing issue for this?

I have searched the existing issues

This issue exists in the latest npm version

I am using the latest npm

Current Behavior

npm audit does not output which of the packages from the package.json dependencies depends on the detected vulnerable package(s).

Expected Behavior

npm should tell me which of the packages I'm using depend(s) on the vulnerable package(s), so that I can update or replace it/them.

Steps To Reproduce

git clone https://github.com/dandv/npm-audit-bug.git && cd npm-audit-bug
npm install
npm audit
Notice the output doesn't mention which of the user's packages from package.json depends on the vulnerable package.

Environment

npm: 10.6.0
Node.js: 18.19.0
OS Name: Fedora Linux 38
npm config:

; "global" config from /etc/npmrc

; prefix = "/usr/local" ; overridden by user
python = "/usr/bin/python3" 

; "user" config from /home/dandv/.npmrc

prefix = "/home/dandv/.local" 

; node bin location = /usr/bin/node-18
; node version = v18.19.0
; npm local prefix = /home/dandv/prg/npm-audit-bug
; npm version = 10.6.0
; cwd = /home/dandv/prg/npm-audit-bug
; HOME = /home/dandv
; Run `npm config ls -l` to show all defaults.

Leo Balter · Answer 1 · Tue May 14 2024 12:07:34 GMT+0800 (China Standard Time)

Thanks for the report! Improvements to the audit experience are under consideration but we don't have a timeline to share at the moment.