Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RRFC] npm audit <package> for a not yet installed package #223

Closed
Christian24 opened this issue Sep 9, 2020 · 5 comments · May be fixed by #232
Closed

[RRFC] npm audit <package> for a not yet installed package #223

Christian24 opened this issue Sep 9, 2020 · 5 comments · May be fixed by #232

Comments

@Christian24
Copy link

Motivation ("The Why")

In some environments (aka corporate) the NPM Registry might be behind a firewall like Nexus Firewall (which automatically blocks vulnerable packages and responds to npm with status code 403. It would be nice to have the ability to query for vulnerabilities before installing a package.

Example

npm audit <package name> --remote
This would probably not have to report back a detailed report, a summary of vulnerabilities (low, moderate or high) would probably be enough.

How

Query npm audit for a not yet installed, single package.

Current Behaviour

There is nothing I am aware of.

Desired Behaviour

Report a summary of vulnerabilities for a not yet installed package back.

foo package security summary:

0 high vulnerabilities 
0 moderate vulnerabilities 
1 low vulnerability

References

  • n/a
@darcyclarke darcyclarke added the Agenda will be discussed at the Open RFC call label Sep 16, 2020
@darcyclarke darcyclarke mentioned this issue Sep 16, 2020
Closed
@isaacs
Copy link
Contributor

isaacs commented Sep 16, 2020

  • Should be a subcommand (ie, there may be a package named "fix")
  • Maybe attach this info to npm view?
  • Getting the full advisory set for the specified package and its deps is a little more work, but probably way more useful.
  • This is semver-minor, can come in a 7.x release.
  • much easier if we restrict it to using the new bulk advisory endpoint (since it won't require generating a complete package-lock tree shape, though we'd have to do that anyway to test deps and metavulns, so maybe not much of an issue)

@isaacs
Copy link
Contributor

isaacs commented Sep 16, 2020
edited
Loading

there may be a package named "fix"

Ah yes, there is: https://www.npmjs.com/package/fix

@darcyclarke darcyclarke removed the Agenda will be discussed at the Open RFC call label Sep 18, 2020
@darcyclarke
Copy link
Contributor

darcyclarke commented Sep 18, 2020
edited by ruyadorno
Loading

Action items

@Christian24 Christian24 mentioned this issue Sep 18, 2020
Open
@Christian24
Copy link
Author

Thanks, for the suggestions, @isaacs. I pretty much went with all of them for the RFC, @darcyclarke I opened a RFC, I would call it a draft, so if you have any comments let me know :)

@ruyadorno
Copy link
Contributor

Let's follow up with the conversation in the PR now 😊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

npm audit for a not yet installed package Christian24/rfcs
4 participants
@isaacs @ruyadorno @darcyclarke @Christian24