Skip to content

[RRFC] npm audit exclusions #227

New issue
New issue
Closed
Closed
[RRFC] npm audit exclusions#227
@nfriedly

Description

@nfriedly
nfriedly
opened on Sep 10, 2020

Motivation ("The Why")

I would like for npm audit to have a way to resolve / acknowledge / ignore / exclude / omit / suppress certain advisories.

I maintain a package that an advisory was recently published for. The typical use is not vulnerable but a less common usage is. At least one of my users has had trouble with upgrading to the fixed version. Their usage not vulnerable and therefore an upgrade is not required. I would like to recommend excluding this advisory, but it doesn't seem possible with npm audit.

In my research, I saw that npm/npm-audit-report#38 was closed with a recommendation to post something here.

Example

nsp's .nsprc file had an exceptions field:

{
  "exceptions": [
    "https://nodesecurity.io/advisories/534"
  ]
}

The .snyk policy file similarly has an Ignore rule:

Ignore:
  snyk-vulnid:
    - path to library using > seperator :
      reason: 'text string'
      expires: 'datetime string'

How

Current Behaviour

The current behavior continues to show users irrelevant issues after they have evaluated the advisory and concluded that it does not apply to their use. This could lead to frustration with the tool as well as actual vulnerabilities being lost in the "noise".

Desired Behaviour

I'd be happy if it worked similarly to nsp, or if it was a field added to the package.json.

Synk's reason, expiration date, and specific library matching may also be desirable, I don't have a strong opinion there.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions