<![CDATA[ProGet pnpm audit reports no vulnerabilities]]>Hi,

We are having issues with pnpm not picking up the package vulnerabilities when running pnpm audit. It always returns no vulnerabilities when pointing at ProGet, but returns correct results when querying the public npm registry.

It looks like npm audit does work as expected, so this is specific to whatever pnpm is expecting.

Looking at the response from npmjs and ProGet, the only real difference I can see is that ProGet is not always setting severity, and that there are some encoding issues in the vulnerable_versions and title fields.

registry.npmjs.org:

{
  "lodash": [
    {
      "id": 1120370,
      "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
      "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
      "severity": "moderate",
      "vulnerable_versions": ">=4.0.0 <=4.17.22",
      "cwe": ["CWE-1321"],
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      }
    },
    {
      "id": 1115806,
      "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
      "title": "lodash vulnerable to Code Injection via `_.template` imports key names",
      "severity": "high",
      "vulnerable_versions": ">=4.0.0 <=4.17.23",
      "cwe": ["CWE-94"],
      "cvss": {
        "score": 8.1,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
      }
    },
    {
      "id": 1115810,
      "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
      "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
      "severity": "moderate",
      "vulnerable_versions": "<=4.17.23",
      "cwe": ["CWE-1321"],
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      }
    }
  ]
}

ProGet:

{
  "lodash": [
    {
      "cvss": {
        "score": 7.9,
        "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P"
      },
      "cwe": ["CWE-1321"],
      "id": "PGV-2605591:Contain",
      "severity": "critical",
      "title": "[Contain] PGV-2605591: Lodash has Prototype Pollution Vulnerability in \u0060_.unset\u0060 and \u0060_.omit\u0060 functions",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-2605591",
      "vulnerable_versions": "\u003E=4.0.0 \u003C4.17.23"
    },
    {
      "cvss": {
        "score": 8.1,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
      },
      "cwe": ["CWE-94"],
      "id": "PGV-262413Y:Monitor",
      "severity": null,
      "title": "[Monitor] PGV-262413Y: lodash vulnerable to Code Injection via \u0060_.template\u0060 imports key names",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-262413Y",
      "vulnerable_versions": "\u003E=4.0.0 \u003C4.18.0"
    },
    {
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      },
      "cwe": ["CWE-1321"],
      "id": "PGV-262413X:Monitor",
      "severity": null,
      "title": "[Monitor] PGV-262413X: lodash vulnerable to Prototype Pollution via array path bypass in \u0060_.unset\u0060 and \u0060_.omit\u0060",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-262413X",
      "vulnerable_versions": "\u003C4.18.0"
    }
  ]
}

ProGet Info
Web UI: 2026.2 (Build 16)
DB Schema: 26.0.2.16
Database Server: Microsoft SQL Server 2022

]]>https://forums.inedo.com/topic/5780/proget-pnpm-audit-reports-no-vulnerabilitiesRSS for NodeThu, 18 Jun 2026 09:32:54 GMTWed, 17 Jun 2026 10:38:18 GMT60<![CDATA[Reply to ProGet pnpm audit reports no vulnerabilities on Wed, 17 Jun 2026 10:38:18 GMT]]>Hi,

We are having issues with pnpm not picking up the package vulnerabilities when running pnpm audit. It always returns no vulnerabilities when pointing at ProGet, but returns correct results when querying the public npm registry.

It looks like npm audit does work as expected, so this is specific to whatever pnpm is expecting.

Looking at the response from npmjs and ProGet, the only real difference I can see is that ProGet is not always setting severity, and that there are some encoding issues in the vulnerable_versions and title fields.

registry.npmjs.org:

{
  "lodash": [
    {
      "id": 1120370,
      "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
      "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
      "severity": "moderate",
      "vulnerable_versions": ">=4.0.0 <=4.17.22",
      "cwe": ["CWE-1321"],
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      }
    },
    {
      "id": 1115806,
      "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
      "title": "lodash vulnerable to Code Injection via `_.template` imports key names",
      "severity": "high",
      "vulnerable_versions": ">=4.0.0 <=4.17.23",
      "cwe": ["CWE-94"],
      "cvss": {
        "score": 8.1,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
      }
    },
    {
      "id": 1115810,
      "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
      "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
      "severity": "moderate",
      "vulnerable_versions": "<=4.17.23",
      "cwe": ["CWE-1321"],
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      }
    }
  ]
}

ProGet:

{
  "lodash": [
    {
      "cvss": {
        "score": 7.9,
        "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P"
      },
      "cwe": ["CWE-1321"],
      "id": "PGV-2605591:Contain",
      "severity": "critical",
      "title": "[Contain] PGV-2605591: Lodash has Prototype Pollution Vulnerability in \u0060_.unset\u0060 and \u0060_.omit\u0060 functions",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-2605591",
      "vulnerable_versions": "\u003E=4.0.0 \u003C4.17.23"
    },
    {
      "cvss": {
        "score": 8.1,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
      },
      "cwe": ["CWE-94"],
      "id": "PGV-262413Y:Monitor",
      "severity": null,
      "title": "[Monitor] PGV-262413Y: lodash vulnerable to Code Injection via \u0060_.template\u0060 imports key names",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-262413Y",
      "vulnerable_versions": "\u003E=4.0.0 \u003C4.18.0"
    },
    {
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      },
      "cwe": ["CWE-1321"],
      "id": "PGV-262413X:Monitor",
      "severity": null,
      "title": "[Monitor] PGV-262413X: lodash vulnerable to Prototype Pollution via array path bypass in \u0060_.unset\u0060 and \u0060_.omit\u0060",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-262413X",
      "vulnerable_versions": "\u003C4.18.0"
    }
  ]
}

ProGet Info
Web UI: 2026.2 (Build 16)
DB Schema: 26.0.2.16
Database Server: Microsoft SQL Server 2022

]]>https://forums.inedo.com/post/19799https://forums.inedo.com/post/19799Wed, 17 Jun 2026 10:38:18 GMT<![CDATA[Reply to ProGet pnpm audit reports no vulnerabilities on Wed, 17 Jun 2026 14:46:31 GMT]]>Hi @Ashley ,

Thanks for the detailed information. I haven't set up an npm/pnpm environment to test this, but I wanted to share a few thoughts, and see if you can test something.

I doubt the encoding is an issue.

Idea 1: Different API Endpoints

There are two vulnerability APIs, and I think one is kind of deprecated? Anyway ProGet has never implemented that one.

If you haven't already, I'd make sure pnpm is calling the same endpoint.

Idea 2: Null Severity

In the example you provided, severity is only set on one of the three items. If this is the problem, then it would mean that pnpm is erroring when processing the resultset.

This will be trivial to verify: can you (temporarily) override the assessment of PGV-262413Y and PGV-262413X to be Contain? Then, run it again. You should see a "critical" serverity in the results then.

That being said, this is a bug. These vulnerabilities should be suppressed and not show up in the results at all; we'll fix that via PG-3317.

Idea 3: Nonnumeric Id

The other possibility; ProGet is using a string identifier, but npm is using an integer identifier. I suspect that npm used to do CVEs that field, but who knows. None of this is documented.

I'm not really sure how how test this without some kind of proxy/MITM interception, or reverse-engineering their source code.

Maybe this is a GitHub issue on the pnpm repository?

Thanks,
Steve

]]>https://forums.inedo.com/post/19800https://forums.inedo.com/post/19800Wed, 17 Jun 2026 14:46:31 GMT