First use question: npq i npq

[baruchiro]

I wanted to test this great tool, so I ran npq I npq and here is the result:

❯ npq i npq
  ✔ Checking package maturity
  ✔ Identifying package author...
  ✔ Checking package download popularity
  ✔ Checking availability of a LICENSE
  ✔ Checking availability of a README
  ✔ Identifying package repository...
  ✖ Checking package for pre/post install scripts
  ✖ Checking for known vulnerabilities
Detected possible issues with the following packages:
  [npq@latest]
    - detected a possible malicious intent script, act carefully: postinstall: node scripts/postinstall.js
    - 1 vulnerabilitie(s) found: https://snyk.io/vuln/npm:npq

I understand the postinstall script, although I didn't see it in action, don't know why (npm --version -> 6.14.14).

But about the Snyk vulnerabilities, I don't see any vulnerability here: https://snyk.io/vuln/npm:npq. Is it a bug?

[lirantal]

The public test page doesn't show indirect vulnerabilities, which npq has if you test it with Snyk:

❯ snyk test npq@2.0.23

Testing npq@2.0.23...

✗ High severity vulnerability found in ansi-regex
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
  Introduced through: listr@0.14.3
  From: listr@0.14.3 > listr-update-renderer@0.5.0 > log-update@2.3.0 > wrap-ansi@3.0.1 > strip-ansi@4.0.0 > ansi-regex@3.0.0
  From: listr@0.14.3 > listr-update-renderer@0.5.0 > log-update@2.3.0 > wrap-ansi@3.0.1 > string-width@2.1.1 > strip-ansi@4.0.0 > ansi-regex@3.0.0


Project path:      npq@2.0.23

Tested npq@2.0.23 for known vulnerabilities, found 1 vulnerability, 2 vulnerable paths.

Tip: Run `snyk wizard` to address these issues.

However, the Advisor does show direct and indirect and you can see it here: https://snyk.io/advisor/npm-package/npq
Would you like to shoot out a pull request to update the link that npq generates to use the advisor as a base?

[baruchiro]

OK, I just want to take one more step. In my opinion, the Snyk Advisor is showing more information than we are talking about. I mean, the log said "found vulnerability" but then you might confuse the user by giving him a link to the advisor with a lot of info.

I think this link is better: https://snyk.io/test/npm/npq
Also, I want to see if npq supports generating link-per-version, such us https://snyk.io/test/npm/npq/2.0.23

[lirantal]

I'm happy to go with the test pages if you think the Advisor really confuses people. I actually think it provides them more metadata as npq pertains to provide, like details about the README, whether there's a GitHub repository associated etc. Plus, I'm hoping in the future to incorporate some of that data and health score into npq's own tests. It would seem to me that the Advisor is a more holistic view for a package than specifically the security test/vuln pages.

[baruchiro]

Also, a note (consider converting all this thread to issue):

❯ yarn add -D @noxify/gridsome-plugin-remark-embed
  ✔ Checking package maturity
  ✔ Identifying package author...
  ✔ Checking package download popularity
  ✔ Checking availability of a LICENSE
  ✔ Checking availability of a README
  ✔ Identifying package repository...
  ✔ Checking package for pre/post install scripts
  ✖ Checking for known vulnerabilities
Detected possible issues with the following packages:
  [@noxify/gridsome-plugin-remark-embed@latest]
    - 2 vulnerabilitie(s) found: https://snyk.io/vuln/npm:%40noxify%2Fgridsome-plugin-remark-embed

The link is 404 when I'm opening it directly from the terminal (maybe it is related to the Terminal configs).

[lirantal]

Looks like a case of double encoding, yeah. That's a separate issue but thanks for reporting in!