[RRFC] Warn users when skipping alias/git deps during audit

[rotem-cider]

The problem

When running "NPM audit" with alias packages, or packages received from git installation, it simply skips the package with no warning or sign that the package was not validated.

Organizations relying on the npm audit functionality as part of their installation can be fooled into downloading malwared / vulnerable packages.

Sample vulnerable package "pug => 3.0.0" can be bypassed when used with an alias "pug => npm:pug@3.0.0" Same bypass can happen also when using from tarball

dependencies": {
    "pug": "https://github.com/pugjs/pug/tarball/pug@3.0.0"
  }

Steps to reproduce

1. npm init
2. npm i --save pug@npm:pug@3.0.0
3. npm audit

Possible Remediation

In npm 7 package aliases are checked but still not with "out-of-store" packages, Currently because of the issue here - https://github.com/npm/cli/issues/2701 it is not possible to upgrade to npm 7 in CI environments

There is no warning of packages that are not scanned in UI or in the outcoming JSON which I think should have some kind of warning/error

This issue was disclosed to the security team in March and it was decided that this should be filed as a feature/issue and not a security bug.

[darcyclarke]

@rotem-cider Thanks for filing this! Since this is working as intended, I've transferred this issue to our RFC repo where we can further discuss the design/direction/implementation. I also updated the title of the issue (prev. NPM Audit 6 security bypass to Warn users when skipping alias/git deps during audit) but feel free to change it back if you want (thought the latter might provided a bit more context out-the-gate)

[ljharb]

It seems like alias deps should not be skipped at all, but skipping git deps is a behavior i'd expect.

[rotem-cider]

Great, Thanks @darcyclarke

I’ll be happy to participate in future rfc talks to help improve the ecosystem