Home > Back-end >  .npmrc removes vulnerable packages statement during npm install
.npmrc removes vulnerable packages statement during npm install

Time:09-14

If I remove the .npmrc file and do "npm install", it shows me the found vulnerabilities.

When I include my .npmrc file has only the registry url and do "npm install", i can't see the vulnerable packages. Maybe I am missing any config in the file that has to be there. I tried several configs yet cannot see the vulnerable packages.

Without .npmrc file: -

enter image description here

With .npmrc file: -

enter image description here

My .npmrc file which I added is only one liner: -

registry = <my_registry_url>

I'd like to know what am I missing.

CodePudding user response:

The other registry doesn't support the audit endpoint, so npm doesn't know how to ask it to audit your package selection.

If you say npm i --verbose ..., you'll notice it doing

npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 234ms
npm timing auditReport:getReport Completed in 236ms
  • Related