[BUG] npm audit will flag a resolved dependency as vulnerable if a package on the npm registry with the same name is vulnerable #8920
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
If a project uses a resolved dependency that happens to have the same name as a package on npm, npm audit may give a false positive vulnerability report
More context / why this is important:
- The microsoft authentication library for js has this problem https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/msal-node-v3.8.6/package-lock.json
- The project has a package named electron-test-app that resolves to a folder within the same repository
- Unfortunately, there was also a malware package on npm with the same name
- If you run npm audit in the project directory, the cli tool will think that their project has a critical vulnerability
Expected Behavior
- It would be helpful if npm would see that the package with a resolved path is not the same as the package on npm, and not apply the package from npm's vulnerabilities to this local package.
- It seems like npm audit just goes by package name and version (and assumes that
package-name@versionis the same package as on the public repo), and doesn't consider resolved packages differently. - I can see why this would be rather tricky to handle well, but maybe npm audit could have some kind of special case when the package resolves to a folder in the repository? Let me know what you think.
Steps To Reproduce
1. Set up files
Create a new folder and put these two files in it
package.json
{
"name": "resolved-linked-package",
"dependencies": {
"electron-test-app": "1.0.0"
},
"type": "module"
}package-lock.json
{
"name": "resolved-linked-package",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "resolved-linked-package",
"dependencies": {
"electron-test-app": "1.0.0"
}
},
"node_modules/electron-test-app": {
"resolved": "resolved/electron-test-app",
"link": true
},
"resolved/electron-test-app": {
"version": "1.0.0"
}
}
}2. Run npm audit
In the folder with the two json files, run
npm audit$ npm audit
# npm audit report
electron-test-app *
Severity: critical
Malware in electron-test-app - https://github.com/advisories/GHSA-77x6-rv23-5phh
No fix available
node_modules/electron-test-app
resolved/electron-test-app
1 critical severity vulnerability
Some issues need review, and may require choosing
a different dependency.
Extra information
While you can reproduce this issue with just package.json and package-lock.json, here's a zip file containing the folder structure of a more "practical" example that you can run, if it helps: nodejs-resolved-linked-package-minimal-example.zip
Environment
- npm: 11.7.0
- Node.js: v24.11.1
- OS Name: Mac OS Tahoe 26.2
- System Model Name: Macbook Pro
- npm config:
; node bin location = /Users/user/node-v24.11.1/bin/node
; node version = v24.11.1
; npm local prefix = /Users/user/nodejs-resolved-linked-package-minimal-example
; npm version = 11.7.0
; cwd = /Users/user/nodejs-resolved-linked-package-minimal-example
; HOME = /Users/user
; Run `npm config ls -l` to show all defaults.