-
-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Show packages that has vulnerability #96
Comments
Is there a readily-available source of module vulnerability information? |
just stumbled upon this article while looking for something different and remembered this issue. maybe it might help? GitHub Advisory Database now powers npm audit Advisories are also available from the GraphQL API nice work by the way! |
@seagullgithub Good find, thanks! I (or someone) will need to look into this to figure out how exactly to fetch potential advisories for a given graph. Breadcrumb: More detailed info about searching the database - https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/browsing-security-vulnerabilities-in-the-github-advisory-database#searching-the-github-advisory-database Edit: Playing around with the GH API, I don't see an obvious way to query for "vulnerabilities that affect [specific module]'s dependency graph". Without that, getting relevant vulnerabilities is a bit of a challenge. We'd have to (potentially) fetch the whole DB into the client (100 results at a time for 10,000+ results? Ugh.) and cache the results somehow. (LocalStorage? IndexDB?) |
This would be the right API, not GitHub’s https://www.gyanblog.com/tutorials/how-node-npm-audit-rest-api-vulnerability/ |
Poking around with this, I'm getting a CORS error when I try to hit the NPM registry endpoint for audits ( |
Since we're on Vercel, it should be super easy to implement. However they would be limited by an API key usage and it could lead to abuse if not properly dealt with. So it's up to you to decide whether it's worth it. |
Overall, since vulnerabilities are for a specific version, I don’t think it's particularly useful to display them here. A regular install would probably be best and |
maybe doing sample
|
so we know where the problem lies
The text was updated successfully, but these errors were encountered: