fix(audit): respect package.json overrides in vulnerability checks#32878
Merged
bartlomieju merged 2 commits intomainfrom Mar 21, 2026
Merged
fix(audit): respect package.json overrides in vulnerability checks#32878bartlomieju merged 2 commits intomainfrom
bartlomieju merged 2 commits intomainfrom
Conversation
…32871) When package.json overrides force a transitive dependency to a patched version, `deno audit` was still reporting it as vulnerable. This happened because the npm audit API returns advisories based on the declared dependency tree, not the resolved versions after overrides are applied. Fix: after receiving advisories from the npm audit API, filter out any where no installed version actually falls within the advisory's vulnerable_versions range. Uses the finding paths to identify the actual package names and cross-references with the resolution snapshot's installed versions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes deno audit false positives when package.json overrides (or similar resolution behavior) forces a transitive dependency to a non-vulnerable version, by filtering npm audit advisories against the actually-resolved versions in the NpmResolutionSnapshot.
Changes:
- Filter npm audit advisories where no resolved/installed package version matches the advisory’s
vulnerable_versionsrange. - Add a spec regression test covering an overridden transitive dependency that would otherwise be reported as vulnerable.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| cli/tools/pm/audit.rs | Filters advisories using the resolution snapshot to avoid reporting vulnerabilities for packages that are resolved to patched versions via overrides. |
| tests/specs/audit/overrides/test.jsonc | Adds a regression spec test that runs install then audit for an overrides scenario. |
| tests/specs/audit/overrides/package.json | Defines a dependency that pulls a vulnerable transitive package, then overrides it to a patched version. |
| tests/specs/audit/overrides/audit.out | Asserts the audit output reports no known vulnerabilities after overrides are applied. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #32871
When
package.jsonoverrides force a transitive dependency to a patched version,deno auditwas still reporting it as vulnerable. For example:{ "dependencies": { "@vitest/ui": "^4.1.0" }, "overrides": { "flatted": "3.4.2" } }The override correctly resolves
flattedto3.4.2(visible in the lockfile), butdeno auditstill reported the vulnerability forflatted < 3.4.2.Root cause
The npm audit API returns advisories based on the declared dependency tree, not the resolved versions after overrides. Deno was passing all advisories through without checking if the actually-installed version falls within the vulnerable range.
Fix
After receiving advisories from the npm audit API, filter out any where no installed version actually falls within the
vulnerable_versionsrange. Uses the finding paths to identify actual package names and cross-references with the resolution snapshot.Test plan
tests/specs/audit/overridesspec test🤖 Generated with Claude Code