Audit requests always pass

Question

Audit requests always pass

paulbrimicombe opened this issue 6 years ago · comments

Paul Douglas Brimicombe commented 6 years ago

Versions:

verdaccio-audit 0.2.0
npm 6.4.1
verdaccio 3.8.4

Install a package with vulnerabilities and audit:

npm --registry=my-verdaccio-host:123 install lodash@3
npm --registry=my-verdaccio-host:123 audit

Expected outcome -- one security vulnerability reported.
Actual outcome -- no security vulnerabilities.

Paul Douglas Brimicombe · Answer 1 · Tue Oct 16 2018 19:53:03 GMT+0800 (China Standard Time)

I've debugged this briefly and the problem is the content-type header that npm is passing to the API.

The content type is set to application/json, application/octet-stream and body-parser isn't recognising this as JSON. This means that an empty object is passed to the npmjs registry which then returns no vulnerabilities as it thinks there are no dependencies.

I don't know whether earlier npm versions used a different content-type header that played more nicely with body-parser

The fix would be to add a type parameter to the JSON body parser that returns true if the above content type is used.

I might put together a quick PR if I can find the time later on.

Paul Douglas Brimicombe · Answer 2 · Wed Oct 17 2018 15:51:41 GMT+0800 (China Standard Time)

Thanks @ayusharma that was quick!

Juan Picado · Answer 3 · Sat Oct 20 2018 03:37:22 GMT+0800 (China Standard Time)

Available on verdaccio@3.8.5