At my place of work we have some private NPM packages that we maintain. Packages like ui-scaffolding. I'm running into a weird issue where when I use ui-scaffolding in two different front-end repos and run npm i && npm audit I get wildly different results between the two. And to make matters worse, I don't have a clean way to fix the problem.

In ProjectA I get found 0 vulnerabilities.

In ProjectB  I get the following:


....................
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @private/ui-scaffolding                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @private/ui-scaffolding > karma-webpack > lodash                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @private/ui-scaffolding                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @private/ui-scaffolding > react2angular > ngcomponent > lodash  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @private/ui-scaffolding                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @private/ui-scaffolding > webpack-dev-server >                  │
│               │ http-proxy-middleware > lodash                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 239 vulnerabilities (1 moderate, 238 high) in 42756 scanned packages

All of the 239 vulnerabilities are found as dependencies of ui-scaffolding and all of the vulnerabilities are related to lodash not being updated to version 4.17.12 or later. So why do I get all these in 1 repo and not they other when they use the same library?

Wait I figured out why

Ok.. after all this, I realized that the problem of 1 project works, one doesn't that really all I needed to do was delete the package-lock.json file in the failing web repo and rerun npm i would actually result in found 0 vulnerabilities. How does this work.. No idea. Previously changing node modules in the package.json file and running npm i always generated a new lock file. So I'm clueless as to why this wasn't working as expected. I hope to revisit this Monday when I'm back in the office and try and get to the bottom of what was going on, and I'll update this page accordingly. Because right now it'll just confuse people.

Update a few weeks later: Ok I know what was going on.

  • If you have node modules installed that satisfy the lock file, then it's not going to go grab the latest ui-scaffolding version.
  • If you run npm i and it detects changes to the package.json file, it'll generate a new lock file to the latest satisfying version.

I also need to look into https://www.npmjs.com/package/npm-audit-ci-wrapper