.nsprc seems to ignore exceptions when advisories have fields
dimitrisfasoulas opened this issue · 1 comments
dimitrisfasoulas commented
having an .nsprc with the following format:
{ "1002373": "some notes" }
works. When I run it the first thing I see is the advisory that the exception is in effect.
> better-npm-audit audit -p
Exception vulnerabilities ID(s): 1002373
[production mode enabled]
...
If I add fields then the exception is ignored.
Tried the following :
{
"1002373": {
"notes": "some note"
}
}
{
"1002373": {
"active": true,
"notes": "some note"
}
}
{
"1002373": {
"active": true,
"notes": "some note",
"expiry": "2022-01-01"
}
}
They all have the following output:
> better-npm-audit audit -p
[production mode enabled]
# npm audit report
lodash *
Severity: critical
Arbitrary code execution in lodash - https://github.com/advisories/GHSA-8p5q-j9m2-g8wr
No fix available
node_modules/lodash
formik >=1.4.0-0
Depends on vulnerable versions of lodash
node_modules/formik
poc-1 *
Depends on vulnerable versions of formik
node_modules/poc-1
poc-2 *
Depends on vulnerable versions of formik
node_modules/poc-2
yup <=0.5.1 || 0.19.0 - 1.0.0-alpha.1
Depends on vulnerable versions of lodash
node_modules/poc-2/node_modules/yup
node_modules/yup
5 critical severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
1 vulnerabilities found. Node security advisories: 1002373
node version: v14.18.0
npm version: 7.24.2
dimitrisfasoulas commented
Please ignore this issue ...
Long hours and lack of coffee sometimes causes reading version 1.3.1 as 3.3.1 ... 😴