Audit requests always pass
paulbrimicombe opened this issue · comments
Versions:
verdaccio-audit
0.2.0npm
6.4.1verdaccio
3.8.4
Install a package with vulnerabilities and audit:
npm --registry=my-verdaccio-host:123 install lodash@3
npm --registry=my-verdaccio-host:123 audit
- Expected outcome -- one security vulnerability reported.
- Actual outcome -- no security vulnerabilities.
I've debugged this briefly and the problem is the content-type
header that npm
is passing to the API.
The content type is set to application/json, application/octet-stream
and body-parser
isn't recognising this as JSON. This means that an empty object is passed to the npmjs registry which then returns no vulnerabilities as it thinks there are no dependencies.
I don't know whether earlier npm
versions used a different content-type
header that played more nicely with body-parser
The fix would be to add a type
parameter to the JSON body parser that returns true
if the above content type is used.
I might put together a quick PR if I can find the time later on.
Thanks @ayusharma that was quick!
Available on verdaccio@3.8.5