Does not work with npm 7

Question

Does not work with npm 7

mgdodge opened this issue 4 years ago · 2 comments

I have an old project that has known vulnerabilities right now (35 low, 4 moderate, 8 high). Running better-npm-audit, I would expect it to throw an error, but it does not. The screen output shows the result of the npm audit, with "All good!" at the end. This is a really, really big problem.

It seems that the latest version includes the following code, which essentially creates an empty object when the npm audit doesn't return an advisories object:

const { advisories } = JSON.parse(jsonBuffer);

// Grab any un-filtered vunerablities at the appropriate level
const vulnerabilities = Object.values(advisories || {})

The json format of npm 7 changed drastically, and this change is entirely insufficient to handle the new format. This article explains the changes.

In its current state, better-npm-audit is returning a false result for anyone using npm 7, and is essentially useless. NPM really threw a lot of these audit utilities a curve ball with the change to the npm audit json format.

Answer 1 · 2021-02-10T04:47:56.000Z

Hey, @mgdodge I'm so sorry for the problem caused and thank you so much for reporting this. I have reverted the changes merged temporary and published a new minor version 1.5.0, and will look into the changes in npm 7 as shared in the article carefully and create a PR soon

Answer 2 · 2021-03-01T12:45:37.000Z

Hi @mgdodge sorry that v7 support takes a while, I have published a new version v1.7.0 that supports both npm v6 and v7 altogether: a39b56f Please install and use the latest version.

Cheers,
Mok