The npm registry now supports npm audit
Summary
$ npm audit
is not supported currently.
This creates a parsing error on the backend side. See https://sentry.gitlab.net/gitlab/gitlabcom/issues/1636563 (internal)
$ npm audit
can be run behind the scenes when $ npm install
, see https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities#turning-off-npm-audit-on-package-installation
Note that this doesn't show an error on the user side. It will only show 0 vulnerabilities:
$ npm audit
=== npm audit security report ===
found 0 vulnerabilities
in 1 scanned package
Steps to reproduce
- Create a npm package in the npm GitLab packages registry
- Reference it in a second npm project
$ npm install
- Optionally
$ npm audit
Example Project
https://gitlab.com/10io/npm_audit_bug
What is the current bug behavior?
- This raises an error on the GitLab Packages Registry. See https://sentry.gitlab.net/gitlab/gitlabcom/issues/1636563 (internal)
What is the expected correct behavior?
- The backend should accept this request.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Output of checks
This bug happens on GitLab.com
Possible fixes
- The backend should reply an empty array (weight 1)
or
- The backend should reply with the proper vulnerabilities. (More complex to implement, needs a small investigation)