Is your feature request related to a problem? Please describe.
The current implementation of the NpmAuditParser#parseAdvisory method retrieves the github_advisory_id by searching for this key in the npm audit response. However, with the release of npm version 7, the npm audit command accesses a new endpoint (https://registry.npmjs.org/-/npm/v1/security/advisories/bulk), which returns a different response structure compared to the previous endpoint (https://registry.npmjs.org/-/npm/v1/security/audits). Specifically, the response from the new endpoint does not include the github_advisory_id, while the older endpoint does. Instead, the github_advisory_id can be found in the CVE URLs returned by the new endpoint. This inconsistency can lead to errors or incomplete advisory processing in the application.
Describe the solution you'd like.
I propose to modify the NpmAuditParser#parseAdvisory method to accommodate the changes in the npm audit response structure. The solution would entail implementing a dual-check mechanism: first, the function would attempt to retrieve the github_advisory_id directly from the npm audit response when applicable; if not found, it would extract the github_advisory_id from the CVE URL provided in the response. This would ensure that the application can handle responses from both npm audit versions seamlessly.
Describe alternatives you've considered.
One alternative would be to maintain separate parsing logic for responses from npm audit version 6 and version 7. However, this approach could complicate the codebase and make it harder to maintain, as future updates to npm may continue to evolve the response structure. Therefore, implementing a unified parsing strategy as described above is more efficient.
Additional context
For further details, you can refer to the official npm documentation that outlines the changes in the audit endpoints and their respective response structures: npm audit documentation.
Below are images comparing the two response structures:
Npm Audit v6
Npm Audit v7+
Is your feature request related to a problem? Please describe.
The current implementation of the
NpmAuditParser#parseAdvisorymethod retrieves thegithub_advisory_idby searching for this key in the npm audit response. However, with the release of npm version 7, the npm audit command accesses a new endpoint (https://registry.npmjs.org/-/npm/v1/security/advisories/bulk), which returns a different response structure compared to the previous endpoint (https://registry.npmjs.org/-/npm/v1/security/audits). Specifically, the response from the new endpoint does not include thegithub_advisory_id, while the older endpoint does. Instead, thegithub_advisory_idcan be found in the CVE URLs returned by the new endpoint. This inconsistency can lead to errors or incomplete advisory processing in the application.Describe the solution you'd like.
I propose to modify the
NpmAuditParser#parseAdvisorymethod to accommodate the changes in the npm audit response structure. The solution would entail implementing a dual-check mechanism: first, the function would attempt to retrieve thegithub_advisory_iddirectly from the npm audit response when applicable; if not found, it would extract thegithub_advisory_idfrom the CVE URL provided in the response. This would ensure that the application can handle responses from both npm audit versions seamlessly.Describe alternatives you've considered.
One alternative would be to maintain separate parsing logic for responses from npm audit version 6 and version 7. However, this approach could complicate the codebase and make it harder to maintain, as future updates to npm may continue to evolve the response structure. Therefore, implementing a unified parsing strategy as described above is more efficient.
Additional context
For further details, you can refer to the official npm documentation that outlines the changes in the audit endpoints and their respective response structures: npm audit documentation.
Below are images comparing the two response structures:
Npm Audit v6
Npm Audit v7+