Doesn't work with npm@7 and above [work almost finished, see @next tag on npm] #34
Comments
|
Great to hear you're using npm-audit-resolver. About npm7 - looks like the format of audit json changed. |
|
Found this enlightening - https://uko.codes/dealing-with-npm-v7-audit-changes
Get Outlook for Android<https://aka.ms/ghei36>
…________________________________
From: Zbyszek Tenerowicz <[email protected]>
Sent: Tuesday, February 9, 2021 12:15:48 AM
To: naugtur/npm-audit-resolver <[email protected]>
Cc: mgdodge <[email protected]>; Author <[email protected]>
Subject: Re: [naugtur/npm-audit-resolver] Doesn't work with npm@7 (#34)
Great to hear you're using npm-audit-resolver.
I've built it in my hobby time and am working to get it built into nom and other package managers. It's a slow moving initiative tho.
About npm7 - looks like the format of audit json changed.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#34 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAKB7W5PKC5M2S6K4Y6FRIDS6DOKJANCNFSM4XKBHZHQ>.
|
|
Thanks for the link. The output from npm7 makes some core audit-resolver features impossible. Resolver is taking care of the dependency tree paths in which things get installed so that it reports the vulnerability as not-ignored if it finds it in a different dependency path (a new package starts using the ignored thing so maybe you no longer want to ignore it). |
|
Frustrating. Guess I'll be sticking to npm 6 for now. This utility has been invaluable to a number of projects I have been working on, so I'm not migrating them to npm 7 until I can ensure a similar audit experience. |
|
Is it worth doing a patch-level release to update the README and tell people it won't work properly with npm 7? |
|
yup, I'll do that. I'm also considering getting a limited version out without the path protection, but wanted to talk to npm folks first. |
|
I might have a way. |
|
I'll see if I can find a project that can easily be converted to a minimal example, then create a sample repo. |
|
@mgdodge All I need is the npm audit --json output from npm6 and npm7 on your project, so if you feel comfortable sharing with me (doesn't have to be public) the list of your vulns at a point in time, It'd be enough. |
|
Here is a gist with two example https://gist.github.com/mgdodge/9d0601e76198af918f2542a5503c9f9e The repo this is based off of is actually for a vue bug I reported a few months ago - https://github.com/mgdodge/rollup-plugin-vue-treeshake-bug-vue3. If you want/need a full checkout of the project to try running |
|
Thanks. Protecting against this was the main reason why audit-resolver was created. Ignoring was possible in much simpler ways. |
|
Could that information be derived from the |
|
@jakawell yes, that's the only option left, but correlating it with the right info from audit and the resolve.json file is going to be a lot of work. |
|
Not to rain on the parade, but the (Edit:) Looks like the file is backwards compatible, so that's good news. And the first linked post seems to indicate the new info maps packages "relative locations" which may or may not help in the audit process. |
|
Bumping for an update on this issue, I'm also experiencing it with |
|
No need for confirmation. I'll work with npm folks to see if they could expose more info from new audit, if not, I'd have to read it from the package lock. It'll take a week or two to figure it out and then the implementation. |
|
Update - I think I now know how to recover the missing information by re-indexing the current format. I'll give it a try. |
|
How large do you need? I can look today for a few sizes of output. With the recent |
|
@mgdodge well, the only limitation is what you feel comfortable sharing. It's a list of vulnerabilities in an app afterall. Send whatever, 3 examples I didn't artificially create is better than 1 :) |
|
@naugtur would adding I've ran into this after updating |
|
Yes, installing npm 6 helps. |
|
Good news @here I've published an early version with npm7 support. Individual package fixing is not implemented, but otherwise it should work. Check the v3 prerelease by installing |
|
Looks like it's working for us. I tested it with npm 6 and 7 and it appears to work. I thought it was finding extra vulnerabilities in npm@7, but it turns out our scoped packages in our private repo were being reported as 00unidentified in 6, but with their actual package name in 7, so that's good! |
|
Yes, npm decided to stop scrambling private packages. But thanks for cross-checking. I don't have capacity to do solid testing. Let me know whatever you notice! |
|
Because it's using a git url for audit-resolve-core, I'm unable to get the prerelease to work in Azure pipelines, as I get this error when it runs |
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - standardised CI scripts - fixed lint issues - updated .nvmrc to latest LTS version - added standard CI scripts/config to package.json: release, snapshot, standard-version, etc - updated gitignore to include test/results and IGNORE patterns - added useUnknownInCatchVariables config to tsconfig to support current code style - updated README with standard auto-release information Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as `npm run audit:resolve` (i.e. `resolve-audit`) is currently not functioning. As a work-around, we need to manually run the following command `npm audit fix`. The `npm run audit:check` (i.e. `check-audit`) still works as expected. BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - standardised CI scripts - fixed lint issues - updated .nvmrc to latest LTS version - added standard CI scripts/config to package.json: release, snapshot, standard-version, etc - updated gitignore to include test/results patterns - updated README with standard auto-release information Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as `npm run audit:resolve` (i.e. `resolve-audit`) is currently not functioning. As a work-around, we need to manually run the following command `npm audit fix`. The `npm run audit:check` (i.e. `check-audit`) still works as expected. - Added "@hapi/catbox", "@hapi/catbox-memory" to ncurc for dep:check to ignore updates due to breaking changes which should be handled by another story BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - standardised CI scripts - fixed lint issues - updated .nvmrc to latest LTS version - added standard CI scripts/config to package.json: release, snapshot, standard-version, etc - updated gitignore to include test/results and IGNORE patterns - added useUnknownInCatchVariables config to tsconfig to support current code style - updated README with standard auto-release information Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as `npm run audit:resolve` (i.e. `resolve-audit`) is currently not functioning. As a work-around, we need to manually run the following command `npm audit fix`. The `npm run audit:check` (i.e. `check-audit`) still works as expected. BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - standardised CI scripts - fixed lint issues - updated .nvmrc to latest LTS version - added standard CI scripts/config to package.json: release, snapshot, standard-version, etc - updated gitignore to include test/results and IGNORE patterns - added useUnknownInCatchVariables config to tsconfig to support current code style - updated README with standard auto-release information - Fixed imports - Added 'serialize-error' to ncurc for dep:check to ignore future updates - this is because v9+ only supports ESM loaders and not CJS. This will need to be addressed in a future story. - Aligned jest config to moja standard - Cleaned up Package.json - Added 'prepublishOnly' script to package.json to ensure that dist is build prior to publishing - Updated tsconfig to latest standards Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as `npm run audit:resolve` (i.e. `resolve-audit`) is currently not functioning. As a work-around, we need to manually run the following command `npm audit fix`. The `npm run audit:check` (i.e. `check-audit`) still works as expected. - 'serialize-error' version is fixed to v8.1.0, this is because v9+ only supports ESM loaders and not CJS. This will need to be addressed in a future story. BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - standardised CI scripts - fixed lint issues - updated .nvmrc to latest LTS version - added standard CI scripts/config to package.json: release, snapshot, standard-version, etc - updated gitignore to include test/results patterns - updated README with standard auto-release information - resolved audits - cleaned up package.json - updated links in changelog to point correctly to mojaloop issue repo - renamed .ncurc.json to .ncurc.js to add comment-note about the @hapi/catbox* issue as described in the notes below Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as `npm run audit:resolve` (i.e. `resolve-audit`) is currently not functioning. As a work-around, we need to manually run the following command `npm audit fix`. The `npm run audit:check` (i.e. `check-audit`) still works as expected. - Added "@hapi/catbox", "@hapi/catbox-memory" to ncurc for dep:check to ignore updates due to breaking changes which should be handled by another story BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - removed unused files - removed unused dependencies - re-aligned package.json - added replace dependency - added IGNORE and test/result patterns to gitignore - re-aligned lint standards config - re-aligned tsconfig Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as npm run audit:resolve (i.e. resolve-audit) is currently not functioning. As a work-around, we need to manually run the following command npm audit fix. The npm run audit:check (i.e. check-audit) still works as expected. BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - removed unused files - removed unused dependencies - re-aligned package.json - added replace dependency - added IGNORE and test/result patterns to gitignore - re-aligned lint standards config - re-aligned tsconfig Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as npm run audit:resolve (i.e. resolve-audit) is currently not functioning. As a work-around, we need to manually run the following command npm audit fix. The npm run audit:check (i.e. check-audit) still works as expected. BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - Update ci machines/slack announcements/automated releases - Bumped dependencies - Major bump since big dep version leap - Removed eslint rc/ignore since library uses standard and has no ts types and as such does not need these. Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as npm run audit:resolve (i.e. resolve-audit) is currently not functioning. As a work-around, we need to manually run the following command npm audit fix. The npm run audit:check (i.e. check-audit) still works as expected. - Primarily had to update `node-rdkafka`>=2.11 to support node 16 which one of the 3ppi services depends on. - Tape dependency has been added to the ncurc config to ignore dep:checks as v5+ will cause tests to fail. To be addressed by a future story. BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - standardised CI scripts - fixed lint issues - updated .nvmrc to latest LTS version - added standard CI scripts/config to package.json: release, snapshot, standard-version, etc - updated gitignore to include test/results and IGNORE patterns - updated README with standard auto-release information - Fixed imports - Cleaned up Package.json - updated links in CHAGNGELOG to correctly point to project repo Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as `npm run audit:resolve` (i.e. `resolve-audit`) is currently not functioning. As a work-around, we need to manually run the following command `npm audit fix`. The `npm run audit:check` (i.e. `check-audit`) still works as expected. BREAKING CHANGE: major version bump for node v16 LTS support, and re-structuring of project directories to align to core Mojaloop repositories!
feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092 - standardised CI scripts - fixed lint issues - updated .nvmrc to latest LTS version - added standard CI scripts/config to package.json: release, snapshot, standard-version, etc - updated gitignore to include test/results and IGNORE patterns - updated README with standard auto-release information - Fixed imports - Cleaned up Package.json - updated links in CHANGELOG to correctly point to project repo - Removed "secrets" (i.e. JWS Signing Keys) as we don't want anybody to accidentally use a "test" key. Rather have an error thrown and for people to explicitly configure their own keys. This does mean that I had to add a "dummy" (with no meaningful body) key file that is empty for unit tests to pass, and will have no impact on the docker image of the service (i.e. it will fail if JWS is enabled, and no Key is injected/configured). Notes: - npm-audit-resolver v3.0.0-7 is a candidate release to resolve compatibility with npm v7+ as described in naugtur/npm-audit-resolver#34. This will need to be addressed going forward as `npm run audit:resolve` (i.e. `resolve-audit`) is currently not functioning. As a work-around, we need to manually run the following command `npm audit fix`. The `npm run audit:check` (i.e. `check-audit`) still works as expected. - 'get-port' dependency version is fixed to v5.1.1, this is because v9+ only supports ESM loaders and not CJS. This will need to be addressed in a future story. - Helm chart mountPaths need to be updated from `/opt/ml-api-adapter` to `/opt/app` as follows: ```YAML volumeMounts: - mountPath: /opt/app/config name: <deployment-name> - mountPath: /opt/app/secrets <-- only required for the notification service name: jws-signing-key ``` BREAKING CHANGE: Major version bump for node v16 LTS support, re-structuring of project directories to align to core Mojaloop repositories and docker image now uses `/opt/app` instead of `/opt/ml-api-adapter` which will impact config/secret mounts.
|
The issue with IDs should now be behind us, I'm getting ready to finish off v3 and get it published. |
|
Is npm7 still maintained? The last release (npm v7.24.2) was 1 year ago. Given that Node 16 enters maintenance phase in 60 days, and even it ships with npm v8, is there any need to support npm v7? |
naugtur
changed the title
|
Edited the title. @joebowbeer |
|
@naugtur , with npm 9 just being released, I'm curious if they've messed with the audit format again. I think historically there's enough data here to verify things, curious if you've got an eye on that or not. |
|
My eyes were elsewhere mostly. Thanks for bringing it up. |
|
@mgdodge seems to be working with npm9 |
|
I notice that Node 18.14.0 comes bundled with npm v9 The npm v9 lockfileVersion is still 2, right? https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json#lockfileversion |
|
audit resolver doesn't depend on the lockfile format, that's the whole reason behind going through the hassle of calling the cli commands - they're the most stable API surface available. |
|
Can this be closed as completed? |
|
I think it finally can, with some ugly fixes for npm6 tests... |
Using nvm to run node 14, but update npm to latest version (v 7.5.3). Project already has audit-resolve.json file. Running
check-auditresults in the following:That log file contains the following:
Have a variety of projects, some using
check-auditin commit hooks like this, others using it in CI build hooks - really causing a lot of issues!The text was updated successfully, but these errors were encountered: