After doing some programming for the day, I noticed that running npm audit on a number of my react projects was always returning 0 vulnerabilities. I found this extremely odd, especially since one project earlier that day had 8 vulnerabilities. I checked all of the projects in the folder I keep my programming repositories and even more oddly the same issue persisted with npm audit returning 0 vulnerabilities in all projects.
I tried uninstalling node.js, as well as clearing the npm and npm cache folders in AppData/Roaming which resulted in the same problem persisting. Knowing that I had an old repository that had not been updated in years, I cloned the repository, tried installing dependencies and 0 vulnerabilities were found again. I also tried two other methods, one installing an older version of an npm package to try to see if I could replicate getting some sort of npm audit vulnerability as well as looking at the Github advisories for out of date packages that would trigger the vulnerability as well. Moreover, I tried initializing a new project with create-react-app, which to my understanding, still had a number of vulnerabilities, and despite trying all three of those methods, the same issue.
node version = v20.12.2
npm version = 10.5.0 + also tried 10.6.0
I’m kind of at a loss on how to think about this issue. Maybe its a npm configuration issue or I ran a command on accident in my workflow? Running commands like npm install
, npm uninstall
, npm run dev
or npm start
seem to work just fine. I have tried looking at the configuration options around npm audit but I have not been able to find any specific issues.
2
Answers
Its not you, it is npm. There are there are reports on twitter of others having the same issue where no vulnerabilities are reported even though there are.
there is issue opened for same https://github.com/yarnpkg/yarn/issues/9054