|
|
|
|
|
|
by akoumjian
1805 days ago
|
|
|
The interaction is not the worse thing about npm audit. The security model of the tool has a big hole depending on how you use it: https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/ In essence, if you are scanning an environment that is already compromised, `npm audit` results can't be relied upon if you are running it in the same environment. It should be self-evident but I'm sure plenty of people use the tool this way. |
|
|