Open
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Output of npm audit doesn't always list all vulnerabilities when using default output format.
Expected Behavior
Output of npm audit always list all vulnerabilities when using default output format.
Steps To Reproduce
-
Install vulnerable package:
npm install [email protected] -
Run audit (JSON output format):
npm audit --json -
Observe output (JSON format):
👉 Show/hide output 👈
{ "auditReportVersion": 2, "vulnerabilities": { "dompurify": { "name": "dompurify", "severity": "moderate", "isDirect": false, "via": [ { "source": 1102259, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify allows Cross-site Scripting (XSS)", "url": "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 4.5, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, "range": "<3.2.4" } ], "effects": [ "jspdf" ], "range": "<3.2.4", "nodes": [ "node_modules/dompurify" ], "fixAvailable": true }, "html2pdf.js": { "name": "html2pdf.js", "severity": "high", "isDirect": true, "via": [ "jspdf" ], "effects": [], "range": "<=0.10.2", "nodes": [ "node_modules/html2pdf.js" ], "fixAvailable": true }, "jspdf": { "name": "jspdf", "severity": "high", "isDirect": false, "via": [ { "source": 1103308, "name": "jspdf", "dependency": "jspdf", "title": "jsPDF Bypass Regular Expression Denial of Service (ReDoS)", "url": "https://github.com/advisories/GHSA-w532-jxjh-hjhj", "severity": "high", "cwe": [ "CWE-400", "CWE-770" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.0.1" }, "dompurify" ], "effects": [ "html2pdf.js" ], "range": "<=3.0.0", "nodes": [ "node_modules/jspdf" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 1, "high": 2, "critical": 0, "total": 3 }, "dependencies": { "prod": 14, "dev": 0, "optional": 10, "peer": 0, "peerOptional": 0, "total": 23 } } } -
Run audit (default output format):
npm audit -
Observe output (default format):
👉 Show/hide output 👈
dompurify <3.2.4 Severity: moderate DOMPurify allows Cross-site Scripting (XSS) - https://github.com/advisories/GHSA-vhxf-7vqr-mrjg fix available via `npm audit fix` node_modules/dompurify jspdf <=3.0.0 Depends on vulnerable versions of dompurify node_modules/jspdf html2pdf.js <=0.10.2 Depends on vulnerable versions of jspdf node_modules/html2pdf.js 3 vulnerabilities (1 moderate, 2 high) -
Look at differences:
- JSON output format: List shows 1 moderate and 2 high vulnerabilities.
- Default output format: List shows 1 moderate vulnerability.
- Default output format: Summary states 1 moderate and 2 high vulnerabilities.
Environment
- npm: 11.2.0
- Node.js: v22.14.0
- OS Name: Debian GNU/Linux 12 (bookworm), also reproduced on Windows & MacOS
- System Model Name: -
- npm config:
; "env" config from environment
cache = "/root/.cache/npm"
store-dir = "/root/.cache/pnpm"
; node bin location = /usr/local/share/nvm/versions/node/v22.14.0/bin/node
; node version = v22.14.0
; npm local prefix = /project/workspace
; npm version = 11.2.0
; cwd = /project/workspace
; HOME = /root
; Run `npm config ls -l` to show all defaults.