Npm Audit: broken by design?

I found that much of the underlying cause is those mass reporting regex denial of services as being high severity bugs.<p>So many people are reporting these in tons of different projects: <a href="https:&#x2F;&#x2F;github.com&#x2F;search?q=regex+denial+of+service&amp;type=issues" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;search?q=regex+denial+of+service&amp;type=iss...</a><p>Anyhow it is just annoying and they broke NPM Audit based on these reports.<p>It is good to fix all possible bugs, but many of these are not anywhere close to the level of bad that the reports are making them to be.<p>But maybe this is needed to just get rid of these issues in genera? So a wave of regex vulnerability reports and then we build this type of checking into prettier or similar and we do not have these in the future?<p>EDIT: It appears there as a project that found 100s of CVE reported Regex vulnerabilities in npm projects -- this is maybe one of the sources of mass reports. See the bottom of this resume: <a href="https:&#x2F;&#x2F;yetingli.github.io" rel="nofollow">https:&#x2F;&#x2F;yetingli.github.io</a>

Honestly, this hit me.<p>I&#x27;m not a react developer, I was experimenting with it for a new project. I finished the tic-tac-toe tutorial, then tried to throw bootstrap on top to build from there. It told me there was 97 vulnerabilities (85 moderate, 12 high)...<p>I just deleted the directory and went back to vanilla JS. This is a fun side project, I don&#x27;t need that.<p>My tweet about it: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;preinheimer&#x2F;status&#x2F;1402785757962592256" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;preinheimer&#x2F;status&#x2F;1402785757962592256</a>

I guess we could have a documentary series!<p>Next up, <i>npm link: broken by design</i><p>Synopsis of the chapter: <i>A command with broken behavior that has been reported since as early as 2015, but that &quot;got lost&quot; every time the winds changed and the project decided to change where to manage bugs. What will happen in the latest attempt from an affected user? Tune in and be ready for an exciting ride!</i><p><a href="https:&#x2F;&#x2F;github.com&#x2F;npm&#x2F;cli&#x2F;issues&#x2F;2372" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;npm&#x2F;cli&#x2F;issues&#x2F;2372</a><p>Spoiler: bugs are not sentient beings that solve themselves just by closing the issue (or the whole issue tracker, for that matter).<p>EDIT to clarify: Sorry for the snarkyness. I just find it funny in a sarcastic way that up until I reported the issue in 2020, the issue had been reported repeatedly but &quot;lost&quot; in the way because the project closed or ignored the issue every time it changed issue tracker. Which happened <i>twice</i> since 2017! so go figure the amount of reports that had gone to waste. On the flip side, this time they haven&#x27;t changed platforms (yet), although the issue has been closed prematurely anyway.

&gt; Inline all dependencies during publish… From a maintainer’s point of view, the upsides are clear: you get faster boot time, smaller downloads, and — as a nice bonus — no bogus vulnerability reports from your users.<p>And when you inlined a version that later <i>really does</i> have a vulnerability, it is not easily flagged or fixed by your consumers.<p>The tension between &quot;upgrades (especially of indirect dependencies) might break&quot; and &quot;upgrades (especially of indirect dependencies) might be necessary to fix bugs or patch security vulnerabilities&quot; is real. There is no magic bullet to get around it. There are practices to try to balance it -- which generally involve ecosystem-wide commitment to backwards compatibility, reflected in semantic versioning (and minimizing major releases).<p>That npm dependency trees are often <i>insane</i> doesn&#x27;t help though. I&#x27;m not totally sure why they are so insane, but I increasingly think that npm&#x27;s ability to have <i>multiple versions of same dependency</i> in the dependency tree -- often seen as a huge advantage over other platforms -- is in fact part of the problem. It makes the dependency tree even more insane, and it also accomodates a false belief that it&#x27;s fine to lock to very specific versions of dependencies -- because it won&#x27;t prevent other dependencies from co-existing in tree with other conflicting requirements after all. Which then accomodates a false belief that dependency maintainers don&#x27;t need to worry too much about backwards compatibility, after all consumers can just lock to specific working versions... and now we wind up with insane dependency trees which depend on vulnerable versions in ways that require a whole bunch of releases to resolve.

Dan isn&#x27;t the first person to notice:<p><a href="https:&#x2F;&#x2F;www.voitanos.io&#x2F;blog&#x2F;don-t-be-alarmed-by-vulnerabilities-after-running-npm-install&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.voitanos.io&#x2F;blog&#x2F;don-t-be-alarmed-by-vulnerabili...</a><p>We disable [1] audit entirely because it&#x27;s not a good default behavior within a monorepo. It spams the hundreds of developers with the list of &quot;vulnerabilities&quot; on every install, but only a few folks should really be upgrading packages.<p>We then run audit in non-blocking CI and track the total number of issues and mostly focus on critical ones.<p>[1] <a href="https:&#x2F;&#x2F;docs.npmjs.com&#x2F;cli&#x2F;v7&#x2F;using-npm&#x2F;config#audit" rel="nofollow">https:&#x2F;&#x2F;docs.npmjs.com&#x2F;cli&#x2F;v7&#x2F;using-npm&#x2F;config#audit</a>

&gt; this “vulnerability” is absurd in this context<p>Yes that&#x27;s exactly the point. The audit tool has no awareness of the context and nor do the people who create severities.<p>If severities were absolute then there would be no reason for anyone to review them. You would simply upgrade your libraries and be done with it, but that can&#x27;t always be achieved nor may make business sense.<p>I do agree with the author&#x27;s note about providing a better way to provide feedback on severity reviews.<p>npm audit is better than no npm audit...telling people it&#x27;s broken by design is going to discourage them from using it completely. smh.

This is a general problem with many security scanning tools, and when a security team is empowered to give deadlines to fix any issue they report, leads to much frustration and poor relations in teams.<p>Imagine if you had 3 days to fix the regex DoS issue shown there, screw your release freeze and your current sprint plans, and you have the real working environment in some companies.<p>I&#x27;ve also heard reports of people trying to claim bug bounties for similar reports, or security vendors that run automated tools that detect for issues of similar (lack of) value.

Writing my comments in the snarky tone of the article.<p>So the article boils down to “a bunch of these vulnerabilities aren’t applicable to my app which is built using a specific NPM package”.<p>Congratulations. Welcome to the world of practical information security.<p>As a security engineer, we’re lucky if your favorite package manager even associates vulnerability information with your packages. Never mind that you’re pulling in code at build time from who-only-knows-where that almost certainly wasn’t security reviewed. But that’s for another post.<p>Now you have a package manager that is kind enough to tell you that there might be a vulnerability, and you’re upset because NPM did not have specific logic to understand the mechanics of one of the packages it manages? And the upshot is that you have to apply judgment and attention to each notification? Is that a tear in my eye- no, wait, it’s just an eyelash.<p>How many packages are there? I’m sure the NPM guys have nothing better to do than to build context awareness for every package in their repository.<p>In all seriousness, I would love to see context awareness in vulnerability reporting. But expecting a package manager to understand that because of your specific choice of framework, that the DoS could only be conducted by an admin of your app, seems unreasonable to me.

It&#x27;s a tricky problem to solve.<p>Ideally you&#x27;d want to show only relevant alerts, but... how? You&#x27;d need to know which kind of errors are relevant for a particular project, but that&#x27;d require solving the halting problem. This is made much worse by that it&#x27;s JS.<p>Some libraries have an enormous complexity and attack surface. Take a database interface -- there probably is a vulnerability in some obscure corner the typical person may not even know exists.<p>I think though at the very least some improvement could be made by better priorization and categorization. DoS by exploiting a regex parser isn&#x27;t that big of a deal if your project is just getting started, but an exploit allowing arbitrary code execution would still be.

We basically run it in CI... and then allow it to fail without failing the build. ¯\_(ツ)_&#x2F;¯<p>It seems like a lot of this has been designed for Node (backend) development, whilst ignoring the fact that NPM is probably used more heavily for front-end development at this point.

For those hoping to run npm audit in your CI&#x2F;CD pipeline, I recommend this tool from IBM: <a href="https:&#x2F;&#x2F;github.com&#x2F;IBM&#x2F;audit-ci" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;IBM&#x2F;audit-ci</a><p>In highly regulated industries, shipping code flagged as having a vuln without a manual approval could be a liability.<p>This wrapper around npm takes an allowlist argument, and our procedure is for an engineer to review the failing build, determine if the vulnerability (ugh, usually regex ddos or prototype pollution) is present in code that runs only at build time with trusted inputs, only on the client which is by definition untrusted, or in our webserver which takes in untrusted input.<p>As long as it&#x27;s either of the first two, we document it in a commit and comment and redeploy. It&#x27;s annoying, but it&#x27;s far better than npm audit forcing a fix.

Indeed, npm is not aware of the context of the vulnerabilities. That does not invalidate them, however, and mean they should be hidden. I&#x27;ve worked in offensive security for quite long enough (been a dev for 10+ years before) to tell you that your context, or the most common one, isn&#x27;t all that exist and someone&#x27;s going use it the way it makes the app vulnerable. Based on the article&#x27;s example, someone&#x27;s going to build an app that builds an app.<p>A vulnerability is a vulnerability, whether it applies to your context or not. A metaphor might be: &quot;The passenger door is broken on my car, but I&#x27;m the only one to use it&quot;. Seriously, who, in their right mind, is going to argue that the door isn&#x27;t broken?<p>- If your dependencies have security vulnerabilities, apply the updates.<p>- If you cannot update because there&#x27;s no fix available, let your org or you assess the risk and go from there.<p>- If you cannot update because it breaks your app, {find a replacement, fix it yourself, let your org or you assess the risk and from from there}.<p>A sensible org has a process that freezes releases until known security issues are fixed. Freezes can also be opposed by devs and are evaluated on a case-by-case basis (because sometimes they are not relevant to the product, or someone steps up to take the blame for incidents and the org agrees).<p>We might not like it because it disturbs the &quot;flow&quot;, but it&#x27;s just part of the engineering process. More to the point though, why not take this opportunity to teach newcomers how to code properly, pick well-engineered and -written programs, and handle this vulnerability management process altogether? In any case, I hope newcoming-dev is not going to push to prod anytime soon. ;)<p>edit: formatting

I&#x27;ve been saying this for years, especially to useless &quot;prototype polution&quot; notices being reported by npm audit. In a project where this &quot;pollution&quot; only happens on the nodejs side in our build tools, they are meaningless if our output is a browser JS bundle.

It sounds like npm needs a mitigated and irrelevant flag, these flags should include an explanation field. Security teams would also have to accept this as a solved&#x2F;fix status.<p>For projects you own you&#x27;d have to flag each dependency path though, because for example, one dependency may not have the input for the regex exposed to the end user, while another dependency could.<p>Maintainers of libraries should also flag the security issues, and an issue with these two statuses on them wouldn&#x27;t be raised by default. Options should be available to list them though for auditing.<p>For more security critical teams&#x2F;projects, a per project setting to alert about any issues the maintainers have flagged irrelevant or mitigated and you&#x27;d have to accept them before it it would stop alerting about them.

As someone who only had just gotten into front end programming after years of backend work, npm has been a nightmare. I haven&#x27;t experienced the same level of frustration with other package managers (pip, cargo, go mod, etc) as I have with npm.<p>Is yarn the better option? What is our path forward?

It doesn&#x27;t solve everything, but we use npm-audit-resolver[0] and it&#x27;s.. workable. It presents you vulnerabilities, offers to fix (upgrade the nested dependency) if a version exists that meets all the constraints, and gives you an option to ignore for a week&#x2F;month&#x2F;forever if no fix exists. Those decisions (including fixes, which is a bit silly) get recorded in a JSON file in source control. For each group of ignores we add a link to the relevant Github issue where it&#x27;s been reported, so if the ignore time we chose expires we can quickly go and see what the status is.<p>There are still problems:<p>- The decisions file gets unweildy, mainly because every time it fixes something it writes to the file. You probably only care about ignores. It&#x27;s also append only, though you could manually clear it down sometimes.<p>- It always defaults to fixing at the deepest level, which is.. not ideal for NPM. On my machine (a not very old Macbook Pro) NPM simply can&#x27;t update a dependency 20 layers deep in the tree, ie `npm update nested-dependency-from-hell --depth 20` will eventually time out and won&#x27;t fix anything. So you have to manually crawl up tree yourself and find the thing that can be updated - or just ignore it until the thing right at the top of the tree gets updated.<p>I&#x27;m not surprised to see Dan posting this though. I agree with everything he said, so I don&#x27;t mean this as an attack, but a lot of the time the thing at the top of the tree we&#x27;re waiting for an update on is create-react-app. It must be incredibly annoying how many Github issues get opened on that repo every time there&#x27;s a new NPM advisory on some 20-dependencies-deep parser it uses for something or other.<p>I do like the suggested fix that a maintainer can use their knowledge of the specific usage to say the vulnerability doesn&#x27;t apply. Often in these threads there&#x27;s a perfectly good explanation of why it isn&#x27;t a real issue, and then people come back with &quot;Okay but can you please update it anyway because I&#x27;m forced to audit and my security team&#x2F;CI are yelling at me&quot;.<p>[0] <a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;npm-audit-resolver" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;npm-audit-resolver</a>

&gt;&gt; Five false alarms wouldn’t be too bad.<p>&gt;&gt; Unfortunately, there are hundreds.<p>This is primarily a result of the absurd number of dependencies NPM encourages (requires?) people to use. The duplicates are also there in part because of the large number of dependencies and should not be shown more than once by the tool.<p>Stop building projects with an absurdly large dependency tree, this is just one problem that results from it.

npm is a bit nuts on its own. I started learning react this year and the course I&#x27;m taking had me install that create react app module or similar. It dragged in 1700 dependencies, and the folder for a hello world app was almost 90mb iirc. How can you possibly pretend you have any control over your app or it’s security in that situation?

So I don&#x27;t work as a security professional but what I remember from IT-sec class in uni is that in order to craft an exploit you need to be vulnerable and the vulnerability needs to be exploitable.<p>If I put a database with default credentials on the internet, there is both a vulnerability and it is exploitable. Bad. If I run a database with default credentials on my dev machine, it is vulnerable, but not exploitable. Perfectly fine.<p>For real security work you also need to think about impact. Hacker dropping production database = we all lose our jobs. Co-worker connecting to my computer and dropping database as a joke = no real harm done.<p>So three things to think about: - Vulnerability - Exploitability - Impact<p>What I really don&#x27;t like about npm audit is how it presents itself as &quot;security tool&quot; and how vulnerabilities are presented. &quot;6 critical, 10 high vulnerabilities&quot; with a red color screams &quot;fix me now!!!&quot;. This is not fair to users because npm has no idea of either the exploitability or the impact of the vulnerability.<p>Why present users with a prompt &quot;please fix me now!!&quot; and not even mention that exploitability and impact need to be measured first? Seems like they forgot that prompt...

It&#x27;s really disappointing to hear an important member of the javascript community not maintaining their library and then blaming npm when people rightfully complain about it.<p>This is like getting mad at the guidebook for showing which plants are weeds when your neighbors complain that your unmaintained garden is full of weeds.<p>If Dan says &quot;npm audit is a stain on the entire npm ecosystem&quot;, maybe it&#x27;s safe to say that Create React App is a stain on the entire react ecosystem. The best time to maintain it was every single month of its existence because that&#x27;s how you maintain software.<p>Facebook has abandoned Create React App. Dan stated that he intentionally does not maintain the project. Rather than complain about npm audit, they should give Create React App over to the community who actually use it instead of keeping it shambling along as a zombie with their name on it.<p>And if Facebook doesn&#x27;t want to give it up, the best thing we can do as a community is to move on to any of the other great tools available that are actually maintained.

Excellent rundown of many problems I&#x27;ve encountered in recent versions of npm and node.<p>I&#x27;ve never ever got `audit fix` or `audit fix --force` to solve any of the mentioned vulnerabilities. Ever. I even relied on downloading every dependency one by one to find that there where other offending packages. I just gave up.<p>It&#x27;s really useless and deceptive.

The title is &quot;Broken by Design&quot;. Then the author proceeds to explain how the design is actually reasonable and meant to work ok, and how the problem lies in the relevance and context of the vulnerabilities reported.<p>That doesn&#x27;t seem to be the meaning of &quot;broken by design&quot;.

It is just pure noise: Add `audit=false` to your ~&#x2F;.npmrc to disable it

Let&#x27;s talk about solutions. I&#x27;m late to the conversation here, responded on Twitter and went to sleep.<p>There&#x27;s a push to address the npm audit situation. It&#x27;s an initiative under the OpenJS Foundation. I kinda started the whole conversation by implementing a tool that makes it acceptable instead of ditching npm audit.<p>It&#x27;s called npm-audit-resolver and I&#x27;ve written about it here <a href="https:&#x2F;&#x2F;dev.to&#x2F;naugtur&#x2F;do-you-need-help-with-your-npm-audit-3olf" rel="nofollow">https:&#x2F;&#x2F;dev.to&#x2F;naugtur&#x2F;do-you-need-help-with-your-npm-audit-...</a><p>Also check out the collab space and the tool itself <a href="https:&#x2F;&#x2F;github.com&#x2F;openjs-foundation&#x2F;pkg-vuln-collab-space" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;openjs-foundation&#x2F;pkg-vuln-collab-space</a> <a href="https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;npm-audit-resolver" rel="nofollow">https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;npm-audit-resolver</a>

Agreed, you shouldn&#x27;t see low risk security warnings by default, they&#x27;re more appropriate for larger projects, with something to lose.<p>The [1] yarn package manager is much nicer to work with in many more ways.<p>[1] <a href="https:&#x2F;&#x2F;classic.yarnpkg.com&#x2F;en&#x2F;" rel="nofollow">https:&#x2F;&#x2F;classic.yarnpkg.com&#x2F;en&#x2F;</a>

So currently the algorithm is... check (dev)Dependencies and descendent&#x2F;transient dependencies to see if they exist in a security advisory database if they do, highlight and surface them to the user.<p>What are alternatives? A way to ignore or mark a dependency as safe? Could this be abused if an author can just mark a dependency as safe?<p>Or perhaps, actually analyze syntax with a tool like ESLint (parse -&gt; AST -&gt; validate) to check that dangerous parts of libraries are not in use? This solution comes with it&#x27;s own complications. Who is authoring these validations?<p>Perhaps there are other strategies I&#x27;m not aware of.

The the main problem is the fact that this audit happens with no context, and the audit results offer no information about the context an issue applies to either. Every issue should have a clear explanation about why and where it&#x27;s an issue, and be tagged. Then we&#x27;d just need a way to hint npm what context a package will be used in, similarly to what we already do for devDependencies.<p>Also going through an audit result in a CLI isn&#x27;t really the best experience. I wish I could just click a link and open up the report in a browser to drill down into issues.

The interaction is not the worse thing about npm audit. The security model of the tool has a big hole depending on how you use it: <a href="https:&#x2F;&#x2F;mulch.dev&#x2F;blog&#x2F;CVE-2020-5252-python-safety-vuln&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mulch.dev&#x2F;blog&#x2F;CVE-2020-5252-python-safety-vuln&#x2F;</a><p>In essence, if you are scanning an environment that is already compromised, `npm audit` results can&#x27;t be relied upon if you are running it in the same environment. It should be self-evident but I&#x27;m sure plenty of people use the tool this way.

I recently implemented my own npm vulnerability audit tool for the CIO department of a major org - it just adds &#x27;vulnerability&#x27; in red next to any npm-based project in their spreadsheet.

Difficult problem to solve. It seems like the reasonable solution here is to have auditing integrated with the build system—but there are so many wacky build systems for JavaScript.

I think this is a really great article and highlights an important weakness that modern security tools in this context have: they don&#x27;t distinguish between vulnerabilities that can be triggered by malicious developer code, and vulnerabilities that can be triggered by malicious users&#x2F;websites.<p>For a proper assessment, such differences need to be encoded in the security advisory, and the audit tool needs to analyze if the code is called at run time or build time, and then act accordingly.

Anyone else read the title to mean the author had audited Npm and found the whole thing was broken by design?<p>Because I&#x27;ve felt that way for years.

Seems to me that if you don&#x27;t have a pure functional language with tree-shaking, and only including existing (non-generated) code, you won&#x27;t know if any (3rd party) code in particular will be called in compiled output, and you&#x27;ll just have to guess and err on the side of paranoia Is there a fix?

Instead of marking dependencies as safe by the developer or by the end user, I wonder if the immediate parent can mark it as safe (because it has the appropriate context) and then npm audit can avoid reporting that &quot;vulnerability&quot; when it sees it.

I like his point about `npm audit --production` being a good way to cut down the noise. But Github doesn&#x27;t seem to take dev dependencies into account when sending security alerts. I get emails about non-issues from them all the time.

I think they are just saying that context matters in security vulnerabilities, and npm audit doesn&#x27;t have that context.<p>Well yes, correct, well done. By this metric, every security tool ever written is probably pointless.

As mentioned in the article we ran into the same overload and just ended up running `npm audit --production` as part of our CI pipeline since that&#x27;s what would be going out.

This is why something like living at head is important. If npm audit reports something you should just be able to upgrade to the latest version. Being stuck with old versions is not good. Sure a vulnerability might not effect you now, but what if someone on your team uses that dependency again in a way that ran be exploited, or what if a new vulnerability comes out that actually effects you. You will be stuck on an old version and have to struggle to update.

&gt; Inlining dependencies kind of goes against the whole point of npm<p>I mean, this is why people love language with deep, solid standard libraries. You don&#x27;t have a situation where a problem in a sub-sub-sub-sub-dependency provokes five different groups of people to all issue an update, one after another. You just upgrade your underlying installation to the latest patch version and continue.<p>Language ecosystems where a few lines of code constitutes a library <i>fundamentally</i> result in you being dependent on a huge number of outside people to cooperate on updates. <i>That&#x27;s</i> what&#x27;s broken. Not a tool which tells you that you have out-of-date libraries and, by the by, hooks into CVE databases.<p>OP should stop and consider whether it might be beneficial to inline some of those dependencies before dismissing it out-of-hand. If you never use the dependency in such a way as to present a real security risk... and you don&#x27;t need feature updates from upstream, i.e. the software is fine as-is when you first incorporated the dependency... then why wouldn&#x27;t you inline the dependency?<p>If anything, inlining the dependency will allow static code analyzers to point out all the parts of the dependency which you&#x27;re not using (i.e. dead code) and eliminate it all. That way, even if the dependency <i>were</i> to be discovered to have a security fault, if the faulty code was in a section that you eliminated as dead code... then you don&#x27;t have a security problem in the first place!

It&#x27;s true that the signal to noise ratio is high for much of these, but whatever solution we settle on, it should take into account that forcing even beginners to learn how to use npm audit means that security will be taken into consideration from the start, which is both valuable and a net benefit.

It isn&#x27;t broken by design. I sympathize and understand it&#x27;s annoying to have to comb through false positives and mark them as such, but until a level of AI we&#x27;re nowhere near being near exists, you can&#x27;t automate this process, so the only alternative is to ignore all vulnerabilities.<p>Complaining about this is misunderstanding the asymmetrical costs of different types of statistical error. Vulnerability scanners are sensitive by default because the cost of lots of false positives is annoyed developers who have to slow down their delivery cadence. The cost of false negatives is anything from compromising user data to losing your company to bringing down the power grid of a major city depending on what the application is.<p>Which of those is a higher cost? npm can&#x27;t possibly know the answer to that, so it has to default to assuming security actually matters to you. If it doesn&#x27;t, your local policies can be more lax, but don&#x27;t expect the tool to change for you.

&gt; It makes beginners miserable<p>Can we please tell beginners not to start programming with node.js?<p>Teaching beginners to start with “go-to” technologies became industry standard already as it helps corporations to become more and more monopolist and dictate new industry standards.

It also has some false results. Like package x has a vulnerability in version 1.x And you have a private package @company&#x2F;x with version 1.x. Than npm audit will blame your private package, even if you dont have used the original package x.

How much of the problem here is that npm audit is a little annoying and creates problems unrelated to security?<p>Or do commenters here actually believe that npm audit should treat a DoS of a development machine as a non-vulnerability?<p>(Please tell me it’s the former)

This should be: npm: broken by design.<p>Or even, since it&#x27;s in fact the language itself that sets the tone for the entire ecosystem: javascript: broken by design.

Funny. I had a discussion about the same topic in context of docker image security scanners last week. 100% agree with the author here!

I do wonder if a typed language shouldn&#x27;t have distinct types for trusted vs untrusted strings and binaries.

Correct me if I&#x27;m wrong.<p>But, one of the goals in software engineering right now is reproducible builds. This means building from source. And of course we&#x27;ll want to automate that. We&#x27;ve already made inroads with CI<p>So, correct me if I&#x27;m wrong, these are still vulnerabilities.<p>Tragedy of the commons stuff.<p>This article might be honest. But I hope in the future we don&#x27;t need devil&#x27;s advocate arguments.

This is how it works by design.

Agreed. I have been trained by npm to ignore its audit messages.

the machine doesn&#x27;t need to be compromised, just check it into source control

Bad&#x2F;ill formed regexes took down the internet recently so they are in fact an attack surface <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;details-of-the-cloudflare-outage-on-july-2-2019&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;details-of-the-cloudflare-outage...</a>

Vulnerabilities are just code paths that can behave in unexpected ways and be abused.... I&#x27;m not sure the author&#x27;s point, that development configuration could not hide malicious code? Why not?<p>All NPM does is scan to the dependency graph for vulnerability reports, it doesn&#x27;t make any assessment of your consuming application&#x27;s use-case. If you don&#x27;t find this useful that is fine, don&#x27;t use it.<p>I think it&#x27;s totally worthwhile to figure out which tools rely on insecure dependencies.<p>Also looks like you can specify npm to ignore dev dependencies:<p>&gt; <i>Any packages in the tree that do not have a version field in their package.json file will be ignored. If any --omit options are specified (either via the --omit config, or one of the shorthands such as --production, --only=dev, and so on), then packages will be omitted from the submitted payload as appropriate.</i>

I agree with the author. Just like them, I only write code without any bugs that can be affected by the &quot;vulnerabilities&quot;. I also never commit to upstream so others won&#x27;t be able to edit my code. All my projects only run on my machine (which is of course also absolutely exploit-free and it&#x27;s not connected to the internet).

A lack of imagination by the author, unfortunately...<p>A DoS on your build machine and dev machine can be indeed be critical issues. Imagine this scenario:<p>Your source code is somehow compromised and attackers slip in rogue code to your production site. It siphons off passwords or other PII. The attackers also take advantage of several of these RegEx DoS vulnerabilities to prevent you from quickly fixing the problem. When you discover the issue, you’ll first see that your build machine is unresponsive, so you can’t just spin a fixed build and re-deploy. You’ll sync your main branch to figure out what is going on, perhaps ready to make a build from your dev machine, but running yarn build hangs. It might take you 1 minute to solve or 5 hours - hard to guess. But every minute you’re delayed is another minute the attacker is siphoning off your production data.<p>npm audit isn’t perfect, but I don’t agree with the author that devDependencies can’t have critical vulnerabilities. Build machines and dev machines <i>are</i> critical infrastructure. Recall the method of attack of SolarWinds [1].<p>Related: we all trust that the “many eyes” of open source contributors will keep our dependencies relatively clean, but this function is not infinite. There is some threshold of lines of code and rate of change that will outstrip the community’s natural ability to find and fix problems. I wish the npm community was more sensitive to the risks that are inherent in current practices. Efforts to limit dependencies and perhaps somehow tag which versions have completed a security audit (and by whom) would be great to see.<p>[1] <a href="https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2021&#x2F;01&#x2F;solarwinds-what-hit-us-could-hit-others&#x2F;" rel="nofollow">https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2021&#x2F;01&#x2F;solarwinds-what-hit-us-c...</a>