Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[BUG] npm audit does not exit with exit code 1 if a vulnerability is found #2868

Closed
jansepke opened this issue Mar 15, 2021 · 3 comments · Fixed by npm/npm-audit-report#46
Closed

[BUG] npm audit does not exit with exit code 1 if a vulnerability is found #2868

jansepke opened this issue Mar 15, 2021 · 3 comments · Fixed by npm/npm-audit-report#46
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 7.x work is associated with a specific npm 7 release

Comments

@jansepke
Copy link
Contributor

jansepke commented Mar 15, 2021
edited
Loading

Current Behavior:

Running npm audit in a reposity with a vulnerable package will give the correct report output, but will not exit with status code 1.

Expected Behavior:

Same as in NPM V6 and as stated in the V7 Docs: "By default, the audit command will exit with a non-zero code if any vulnerability is found."

Steps To Reproduce:

  1. npm install xmldom@0.4.0
  2. npm audit
  3. echo $?

I don't know if this problem applies only to lo severity findings. Our workaround currently is to use npm audit --audit-level=low which will exit correctly with 1.

Environment:

  • OS: Ubuntu 20.04
  • Node: v14.16.0
  • npm: 7.6.3
@jansepke jansepke added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Mar 15, 2021
@josalmi
Copy link

josalmi commented Mar 18, 2021

I can confirm this issue is also happening on npm 7.6.0 and doesn't seem to be related to severity since high level vulnerability also exits with 0 status code. The mentioned workaround works.

@mikejamesthompson
Copy link

We also experienced this issue. We were using npm audit in CI to check for vulnerabilities in packages and using the non-zero return code to cause the build to fail if any were found.

Obviously we are now using npm audit --audit-level=low, but this should be fixed so that the behaviour matches the documentation.

@darcyclarke darcyclarke added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels May 14, 2021
@darcyclarke
Copy link
Contributor

Can confirm, this is a problem. Prioritizing accordingly

@wraithgar wraithgar mentioned this issue May 14, 2021
Merged
@leonardoadame leonardoadame mentioned this issue Jun 27, 2023
Open
@jackromo888 jackromo888 mentioned this issue Jun 27, 2023
Open
@nicholaschoi168 nicholaschoi168 mentioned this issue Jun 28, 2023
Open
@hojatA1 hojatA1 mentioned this issue Jun 28, 2023
Open
@f4lco0n f4lco0n mentioned this issue Jun 28, 2023
Open
@TheManager73 TheManager73 mentioned this issue Nov 16, 2023
Merged
@NOUIY NOUIY mentioned this issue Dec 2, 2023
Open
@CALISOULB CALISOULB mentioned this issue Dec 20, 2023
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(exit-code): account for null default npm/npm-audit-report
4 participants
@darcyclarke @mikejamesthompson @jansepke @josalmi