Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pnpm audit does not report known vulnerability in 7.17.1 without a version in the package.json #5728

Closed
AndrewLeedham opened this issue Dec 1, 2022 · 3 comments · Fixed by #5731
Closed

pnpm audit does not report known vulnerability in 7.17.1 without a version in the package.json #5728

AndrewLeedham opened this issue Dec 1, 2022 · 3 comments · Fixed by #5731
Labels
type: bug
Milestone
v7.18

Comments

@AndrewLeedham
Copy link
Contributor

AndrewLeedham commented Dec 1, 2022
edited

pnpm version: 7.17.1

Code to reproduce the issue:

package.json

{
  "name": "pnpm-vulnerable",
  "dependencies": {
    "mem": "3.0.1"
  }
}

pnpm-lock.yaml

lockfileVersion: 5.4

specifiers:
  mem: 3.0.1

dependencies:
  mem: 3.0.1

packages:

  /mem/3.0.1:
    resolution: {integrity: sha512-QKs47bslvOE0NbXOqG6lMxn6Bk0Iuw0vfrIeLykmQle2LkCw1p48dZDdzE+D88b/xqRJcZGcMNeDvSVma+NuIQ==}
    engines: {node: '>=4'}
    dependencies:
      mimic-fn: 1.2.0
      p-is-promise: 1.1.0
    dev: false

  /mimic-fn/1.2.0:
    resolution: {integrity: sha512-jf84uxzwiuiIVKiOLpfYk7N46TSy8ubTonmneY9vrpHNAnp0QBt2BxWV9dO3/j+BoVAb+a5G6YDPW3M5HOdMWQ==}
    engines: {node: '>=4'}
    dev: false

  /p-is-promise/1.1.0:
    resolution: {integrity: sha512-zL7VE4JVS2IFSkR2GQKDSPEVxkoH43/p7oEnwpdCndKYJO0HVeRB7fA8TJwuLOTBREtK0ea8eHaxdwcpob5dmg==}
    engines: {node: '>=4'}
    dev: false

Expected behavior:

Running pnpm audit should yield 1 vulnerability for mem@3.0.1, as it does in 7.16.1

Actual behavior:

It prints:

No known vulnerabilities found

Additional information:

  • node -v prints: v16.18.0
  • Windows, macOS, or Linux?:

If a version is included in the package.json the vulnerability is reported. So it seems that v7.17.0 introduced a regression requiring a version.
@AndrewLeedham AndrewLeedham changed the title pnpm audit does not report known vulnerability in 7.17.1 pnpm audit does not report known vulnerability in 7.17.1 without a version in the package.json Dec 1, 2022
@zkochan
Copy link
Member

zkochan commented Dec 1, 2022

It was caused by this change: #5661

In the past, we always sent 0.0.0 as the version. Now we read the version from the package.json.

@AndrewLeedham AndrewLeedham mentioned this issue Dec 1, 2022
Merged
@AndrewLeedham
Copy link
Contributor Author

Would the simple fix to do manifest.version ?? '0.0.0' then?

@zkochan
Copy link
Member

zkochan commented Dec 1, 2022

Yes, and a test

@lvqq lvqq mentioned this issue Dec 2, 2022
Merged
zkochan pushed a commit that referenced this issue Dec 2, 2022
@lvqq
fix: audit should work when the project's package.json has no version (
dd83e59 
…#5731)

close #5728
@zkochan zkochan added this to the v7.18 milestone Dec 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
v7.18
Development

Successfully merging a pull request may close this issue.

fix: add default version in pnpm audit pnpm/pnpm
2 participants
@zkochan @AndrewLeedham