Cli: [QUESTION] registry.npmjs.org API/format change for security advisories

Created on 14 May 2020 · 4Comments · Source: npm/cli

What / Why

Apparently the endoint at https://registry.npmjs.org/-/npm/v1/security/advisories changed the output format without notice.
Previously, timestamps included a "Z" as a timezone indicator - which was now silently removed, breaking e.g. the DependencyTrack parser.

Is the current version the "new stable" or will it be changed again?

Where

npm public registry

Who

@npm/

References

Related to https://github.com/DependencyTrack/dependency-track/issues/676

Question

Source

savek-cc

Most helpful comment

@ljharb thanks for the ping. On the one hand this API was undocumented and is only supported through the official channel that is npm cli (for npm audit) and the website. On the other this is an unexpected change and I've been informed that engineering will likely be working on a fix for it. Triage pending.

evilpacket on 14 May 2020

👍2 ❤1

All 4 comments

Other changes to the NPM Advisory API include modifications to the 'next' and 'prev' fields which prevent the API from being paginated without having to create workarounds.

stevespringett on 14 May 2020

cc @evilpacket

ljharb on 14 May 2020

evilpacket on 14 May 2020

👍2 ❤1

I just took a look at the advisories output from the referenced endpoint and I think dates should be back to what you are expecting?

{
  "total": 1348,
  "objects": [
    {
      "id": 1518,
      "created": "2020-04-30T18:19:09.542Z",
      "updated": "2020-04-30T18:19:09.542Z",
      "deleted": null,

Again I want to note that these endpoints are undocumented and unsupported and are likely to change in the future. You may want to consider migrating to consume advisory data from the GitHub Advisory database which is available under the Creative Commons Attribution 4.0 license

evilpacket on 19 May 2020

Was this page helpful?

0 / 5 - 0 ratings