Azure-devops-docs: npm audit support?

Created on 13 Nov 2018 · 6Comments · Source: MicrosoftDocs/azure-devops-docs

When using a Artifacts feed it appears that npm audit does not work (reports a 400 Bad Request for a POST to URL /npm/registry/-/npm/v1/security/audits). Is there documentation on an alternative to npm audit when using Artifacts, or support on the roadmap?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: e4bbb17f-15a7-25d6-239c-2087d2b644b7
Version Independent ID: f4949587-0bd0-6bfc-590f-0c4f6386dd7a
Content: Use npm to store JavaScript packages in Azure DevOps Services
Content Source: docs/artifacts/get-started-npm.md
Product: devops
GitHub Login: @elbatk
Microsoft Alias: elbatk

Source

WorldMaker

All 6 comments

Hey @WorldMaker , have you checked out this issue and solution posted on the Azure DevOps Services developer community? https://developercommunity.visualstudio.com/content/problem/263615/npm-audit-fails.html. If you find that it works for you, I'd be glad to add something to the documentation to point that workaround out!

elbatk on 20 Nov 2018

Thanks, overriding the registry just for the command does help as a short-term workaround!

Some long-term concerns with that approach without a more permanent security audit endpoint in Artifacts are:

No audit warnings after a regular npm install
npm audit fix --registry and npm audit fix --force --registry will install updated packages from the wrong registry, for those seeking to keep a complete package graph in Artifacts (subsequent CI builds may mitigate that of course, but there's still that window of difference that may be a concern to some that worry about package auditing)

It may be worth investigating a better long term solution for Artifacts if this is not already on the product backlog. Spitballing, because I'm a dev and it's hard not to, I could imagine it might be hard to replicate npm's security/audit API here, but I'm wondering if maybe something as simple as a 303/307 redirect from the HTTP endpoint to npm's main registry endpoint would be sufficient? (With probably making sure that the redirect only happens if the main registry is an upstream feed source.)

Given this is code-security infrastructure it seems like a smart idea for Artifacts to support as best it can.

Thanks, again for the immediate workaround suggestion/reminder, @elbatk .

WorldMaker on 21 Nov 2018

👍1

Thanks for the write-up here @WorldMaker ! Adding @alexmullans from the product team to take a look!

elbatk on 26 Nov 2018

@WorldMaker thanks for the feedback. This is something we need to support. Nothing on the schedule yet but I'm hoping we can get it into Q1.

If you wouldn't mind, consider adding your vote here? https://developercommunity.visualstudio.com/idea/365958/npm-audit.html

@elbatk in the meantime, I like your idea of adding a docs page for this. Perhaps a "Use npm audit" page under How-to > npm?

infin8x on 26 Nov 2018

👍1

@alexmullans Thanks. I added a vote to that user voice page. It's interesting how topical this turned out to be with today's news about event-stream's security compromise going around.

WorldMaker on 26 Nov 2018

I've added the aforementioned article to the docs:
https://docs.microsoft.com/en-us/azure/devops/artifacts/npm/npm-audit?view=vsts&tabs=yaml

Closing this for now! Looking forward to being able to remove the workaround doc ;)

elbatk on 4 Dec 2018

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Publish from Staging directory

cijujoseph · 3Comments

How do i find pipelineId of another Pipeline from which i need to download an artifact from?

sandeepzgk · 3Comments

As of Visual Studio 15.7.1 we are able to associate test cases to MS Test V2, xUnit, and NUnit.

mikedouglasdev · 3Comments

How one generates the Api Key for the nuget push to the feed?

EM1L · 3Comments

Documentation is totally out of sync and complexity of the libraries make it almost impossible to use

LennartAJansson · 3Comments