Skip to content

[BUG](arborist) audit does not always include all known vulnerabilities  #4266

New issue
New issue
Open
Open
[BUG](arborist) audit does not always include all known vulnerabilities #4266
Labels
Needs Triageneeds review for next stepsws:arboristRelated to the arborist workspace
@G-Rath

Description

@G-Rath
G-Rath
opened on Dec 19, 2021

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When a package has multiple known vulnerabilities that match the version of the package installed, npm audit does not always show them (I currently suspect it's if those vulnerabilities have the same vulnerable_versions range).

Expected Behavior

All known & relevant vulnerabilities are shown/included in output.

Steps To Reproduce

  1. npm init -y
  2. npm install [email protected]
  3. npm audit
  4. See that there is only one vulnerability shown, but there are three in the audit report that have the same vulnerable_versions range.

Environment

  • npm: 7.24.2 & 8.3.0
  • Node: 16.0.0
  • OS: Ubuntu 18.04
  • platform: Windows (WSL)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs Triageneeds review for next stepsws:arboristRelated to the arborist workspace

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions