Skip to content

ericcornelissen/npmaargh

BranchesTags

Repository files navigation

npmaargh

The npm audit assistant - the "rgh" is for dramatic effect, capturing that all-too-familiar reaction to running npm audit: "aargh!" 😩

The npmaargh CLI is intended to help you resolve npm audit reports by showing you where in the dependency hierarchy upgrades are blocked. This is especially helpful when npm audit fix doesn't just solve the problem for you.

The report can be used to report blockers upstream or write more targeted override rules.

Usage

You can either install and run:

npm install --global npmaargh
npmaargh [flags...] [target]

Or use npx:

npx npmaargh [flags...] [target]

For example:

$ npx npmaargh --compact my-project
=== npm audit assistant ===
I'm here to help audit 'project'.

=== setup ===
Initialized.
Obtained audit report.
Analyzed audit report.

=== https://github.com/advisories/GHSA-abcd-1234-e5f6 ===
 <project>@0.4.2          # Blocker [[email protected]>1.2.4]
  [email protected]               # Need 1.2.4 (for [email protected])
   [email protected]              # Need 3.1.4
   [email protected]            # Upgradable (need 1.1.1)
  [email protected]             # Blocker [[email protected]>1.1.1 (https://github.com/he/llo/issues)]
   [email protected]            # Need 1.1.1

Let's unpack that report:

  • <project>@0.4.2 is the project we're analyzing.
  • # Blocker [[email protected]>1.2.4] indicates a change is required, namely that the package foo must be upgraded from 1.2.3 to 1.2.4.
  • [email protected] is a direct dependency of the project that we're using at v1.2.3.
  • # Need 1.2.4 (for [email protected]) indicates we need [email protected] so that we can pull in [email protected] transitively.
  • [email protected] is a transitive dependency of the project that is currently at v3.0.0.
  • # Need 3.1.4 indicates we need to bump it, because of a known vulnerability.
  • [email protected] is another transitive dependency of [email protected].
  • # Upgradable (need 1.1.1) indicates world can be upgraded to v1.1.1 now. It might currently not be installed because of a lockfile or deduplication.
  • [email protected] is another direct dependency of the project.
  • # Blocker [[email protected]>1.1.1 (...)] indicates a change is required in hello to upgrade world to a non-vulnerable version. A link for the bug tracker of hello is included to make it easy to report the blocker.
  • [email protected] is a transitive dependency of [email protected].
  • # Need 1.1.1 indicates we need to bump it, because of a known vulnerability.

License

This software is available under the AGPL-3.0-or-later license, see LICENSE for the full license text.

About

The npm audit assistant

www.npmjs.com/package/npmaargh

Topics

nodejs npm security security-audit audit assistant cve vulnerability-management npm-audit ghsa vulnerablity

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages