This repo seems to be inactive since many years.

Some of the dependencies are vulnerable :

https://snyk.io/advisor/npm-package/got
https://snyk.io/advisor/npm-package/marked

Any update please ?

When I generate the HTML report as specified in the instructions I get to see the number of issues split by severity just fine, but the table below has "0 out of 0" and lists no actual package names for the issues. I'm using Node v14.18.0 and NPM v8.1.0, on Ubuntu. Visualizing the HTML file with Chrome. The information is definitely contained in the JSON file. Is there anything else that I should be wary of, or is this a bug?

I'm trying to run with npm audit fix --production --only=prod --json | npm-audit-html and got this error. I assume because the fix done it job and output is missing that entry.

Suggest solution:
haven't look at the code but i believe something like

const vulnerabilities = data.metadata.vulnerabilities || []

and output will show a default message of no vulnerability found.

I'd like to do a PR for this quick fix.

npm-audit-html is being flagged by...npm audit :D

Not a production dependency for me, but wanted to share.

$ npm audit
# npm audit report

marked  1.1.1 - 1.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1623
fix available via `npm audit fix`
node_modules/marked
  npm-audit-html  >=1.4.2
  Depends on vulnerable versions of marked
  node_modules/npm-audit-html

Hi, somehow the data table is empty since a few days, but it was working before.

I do the following with this docker image: FROM node:lts-bullseye-slim

npm i -g npm-audit-html 
npm audit --json | npm-audit-html

The link to modal window doesn't open if the module name has some special character. (@, / )

Few Sample module names :

Hey guys, i'm on mac and running npm audit --npm-audit-html command. From console all is good but i cannot find the generated html file. Can someone give me a hand with that please.

The report UI doesn't look super great and could be better. Let's improve it.

To-Do

• Improve Report UI

Hi,

I followed the steps and tried to run npm-audit-html on some repositories but every time I get "No data available in table", even though I can see that there are vulnerabilities.
Any idea why this happens and how can I fix the issue?

Thanks!

The HTML report uses metadata.exploitability value as CVSS score. While I can't find any documentation on the exact meaning of this value, I don't think it is supposed to reflect a CVSS score.

For example npm mongodb vulnerability has a metadata.exploitability value of 3. While the actual CVSS score is 7.5. Our npm audit html report shows several other examples where the CVSS score in the report is completely different from the actual CVSS score.

I propose to label it 'Exploitability:' instead of 'CVSS' in the npm audit html report. Or otherwise completely remove it.

Hi, I would like to ask whether npm-audit-html would have compatibility with audit-ci (https://www.npmjs.com/package/audit-ci)?

Since audit-ci has the advantages of e.g. being able to whitelist packages and advisories, set threshold level, and setting those configs in a single config file, what normal npm audit unfortunately does not have.

Thanks!

The just released 1.4.2 broke our build chain which works just fine with 1.4.1.

[2020-08-05T15:04:00.875Z] + ./node_modules/.bin/npm-audit-html --output target/reports/npm-audit/report.html
[2020-08-05T15:04:00.875Z] /home/jenkins/workspace/foo/node_modules/npm-audit-html/node_modules/fs-extra/lib/mkdirs/make-dir.js:85
[2020-08-05T15:04:00.875Z] } catch {
[2020-08-05T15:04:00.875Z] ^
[2020-08-05T15:04:00.875Z]
[2020-08-05T15:04:00.875Z] SyntaxError: Unexpected token {
[2020-08-05T15:04:00.875Z] at createScript (vm.js:80:10)
[2020-08-05T15:04:00.875Z] at Object.runInThisContext (vm.js:139:10)
[2020-08-05T15:04:00.875Z] at Module._compile (module.js:617:28)
[2020-08-05T15:04:00.875Z] at Object.Module._extensions..js (module.js:664:10)
[2020-08-05T15:04:00.875Z] at Module.load (module.js:566:32)
[2020-08-05T15:04:00.875Z] at tryModuleLoad (module.js:506:12)
[2020-08-05T15:04:00.875Z] at Function.Module._load (module.js:498:3)
[2020-08-05T15:04:00.875Z] at Module.require (module.js:597:17)
[2020-08-05T15:04:00.875Z] at require (internal/module.js:11:18)
[2020-08-05T15:04:00.875Z] at Object. (/home/jenkins/workspace/foo/node_modules/npm-audit-html/node_modules/fs-extra/lib/mkdirs/index.js:3:44)

npm-audit-html doesn't seem to work in Powershell. Piping npm audit --json into npm-audit-html does not actually work. For some reason, there is no stdin. The process just silently exits.

Also, reading directly from a JSON files doesn't work in Powershell (e.g. npm audit --json > audit.json; npm-audit-html -i audit.json). The readJson function fails due to charector encoding issues.

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two-Factor Authentication, make configure the auth-only level is supported. semantic-release cannot publish with the default auth-and-writes level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Rewrite the library/CLI in TypeScript!

Could you support yarn audit?

At the moment, to use npm-audit-html, you have to use it through the CLI. This is inconvenient for some people who need to use it programmatically. For example, with build systems like Gulp.

Additionally, the reporter should be more abstracted. It should not write files it's self but should only return an HTML string. The CLI should do the file writing.

Technically, you could use lib/reporter.js directly but it is currently undocumented and not set as the main file in the package.json.

GitHub Actions looks pretty cool! And since the CI pipeline for this project is relatively basic, it would be nice to switch to Actions.

Your npm package has a security risk

run "npm install"
run "npm audit"

│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm-audit-html [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm-audit-html > update-notifier > configstore > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213

Currently npm-audit-html only support stdin as input. It would be great if it could accept json file as input.
Something like this npm-audit-html --input audit.json --output report.html.

Also would be nice if it's support threshold(low, moderate, high, critical).

Hey, and thanks for this useful package!

I'm using a yarn-version of this library (yarn-audit-html) myself in a CI-pipeline. I realized that with this version and the yarn-version, even if just basic audit (npm or yarn) command exits with code "1" when vulnerabilities were found, using either of these libraries ignore that exit code and instead the program exits with code "0" after creating the audit report. Exiting with code other than "0" could be useful in pipelines for example when determining if some script should be executed when vulnerabilities are found. This could also be optional with some flag given as a parameter.

My flow in the CI-job for example works like this (job is ran in an scheduled pipeline every week):

1. Install npm-audit-html as local dependency (not global)
2. Configure email-utilities in the CI-runner
3. Run npm audit --json | ./node_modules/.bin/npm-audit-html --output audit.html
4. If vulnerabilities are found (if exit code !== 0), send the audit.html report in an email to predetermined recipients. If not (if exit code === 0), just print "No vulnerabilities found."

I have a working implementation almost ready, and can make a pull request, if this feels like a useful feature.

With NPM 7 comes breaking changes to the audit report structure. npm-audit-html needs to be updated to support the new version of the report. npm-audit-html must maintain backwards compatibility with auditReportVersion:1 as well.

Links / ref

• https://github.com/npm/npm-audit-report

Is it possible to create a report from different folders?
When I have a big project with submodules with theyr dependencies I have to run multiple times npm audit, with the result that I have many html reports.
I'd like to tell npm audit a way (ex. npm audit --merge ./project/*/package.json - where * is a wildcard for every subfolder to check) to watch every submodules and merge the reports into one.

Moderate Regular Expression Denial of Service

Module: marked
Published: April 10th 2019
Reported by: Anders Kaseorg
CWE-400
Vulnerable: >=0.3.14 <0.6.2
Patched: >=0.6.2
CVSS: 5
Overview
Versions of marked prior to 0.6.2 and later than 0.3.14 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Findings
npm-audit-html>marked
Remediation : Upgrade to version 0.6.2 or later.

References
GitHub PR (markedjs/marked#1460)
Snyk Report (https://snyk.io/vuln/SNYK-JS-MARKED-174116)

Looks like audit report breaking changes in npm 7 breaks its reporting. Is there any update when its support will be available

The second major version of npm-audit-html will have a few major new features.

• Support more than just npm. Allow for an easy way to create an adapter for other npm-audit clients such as Yarn. - #36
• Move to TypeScript - #27
• Support auditReportVersion 2 - #43
• Expose the reporter API - #44
• What else is important??

Join the conversation on Slack!

https://slack.event1.io

Hello,

as I was using the --output option, it did not create missing directories in the given path. This behavior is expected by most of the users, til they are used to mocha reporters or nyc reporters.

Command invoked:

npm audit --json | npm-audit-html --output ./test-reports/npm-audit/report.html

the folder npm-audit does not exist and should be generated by the module

Similar to what webpack-bundle-analyzer does.
open package can be used to open a generated report.