1. Home
  2. Categories
  3. Support
  4. ProGet pnpm audit reports no vulnerabilities

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

ProGet pnpm audit reports no vulnerabilities

  • A

    Hi,

    We are having issues with pnpm not picking up the package vulnerabilities when running pnpm audit. It always returns no vulnerabilities when pointing at ProGet, but returns correct results when querying the public npm registry.

    It looks like npm audit does work as expected, so this is specific to whatever pnpm is expecting.

    Looking at the response from npmjs and ProGet, the only real difference I can see is that ProGet is not always setting severity, and that there are some encoding issues in the vulnerable_versions and title fields.

    registry.npmjs.org:

    {
  "lodash": [
    {
      "id": 1120370,
      "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg",
      "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
      "severity": "moderate",
      "vulnerable_versions": ">=4.0.0 <=4.17.22",
      "cwe": ["CWE-1321"],
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      }
    },
    {
      "id": 1115806,
      "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc",
      "title": "lodash vulnerable to Code Injection via `_.template` imports key names",
      "severity": "high",
      "vulnerable_versions": ">=4.0.0 <=4.17.23",
      "cwe": ["CWE-94"],
      "cvss": {
        "score": 8.1,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
      }
    },
    {
      "id": 1115810,
      "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh",
      "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
      "severity": "moderate",
      "vulnerable_versions": "<=4.17.23",
      "cwe": ["CWE-1321"],
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      }
    }
  ]
}

    ProGet:

    {
  "lodash": [
    {
      "cvss": {
        "score": 7.9,
        "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P"
      },
      "cwe": ["CWE-1321"],
      "id": "PGV-2605591:Contain",
      "severity": "critical",
      "title": "[Contain] PGV-2605591: Lodash has Prototype Pollution Vulnerability in \u0060_.unset\u0060 and \u0060_.omit\u0060 functions",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-2605591",
      "vulnerable_versions": "\u003E=4.0.0 \u003C4.17.23"
    },
    {
      "cvss": {
        "score": 8.1,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
      },
      "cwe": ["CWE-94"],
      "id": "PGV-262413Y:Monitor",
      "severity": null,
      "title": "[Monitor] PGV-262413Y: lodash vulnerable to Code Injection via \u0060_.template\u0060 imports key names",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-262413Y",
      "vulnerable_versions": "\u003E=4.0.0 \u003C4.18.0"
    },
    {
      "cvss": {
        "score": 6.5,
        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
      },
      "cwe": ["CWE-1321"],
      "id": "PGV-262413X:Monitor",
      "severity": null,
      "title": "[Monitor] PGV-262413X: lodash vulnerable to Prototype Pollution via array path bypass in \u0060_.unset\u0060 and \u0060_.omit\u0060",
      "url": "https://PROGET-SERVER/vulnerabilities/vulnerability?vulnerabilityId=PGV-262413X",
      "vulnerable_versions": "\u003C4.18.0"
    }
  ]
}

    ProGet Info
    Web UI: 2026.2 (Build 16)
    DB Schema: 26.0.2.16
    Database Server: Microsoft SQL Server 2022

    0 stevedennis 1 Reply
  • stevedennis
    inedo-engineer

    Hi @Ashley ,

    Thanks for the detailed information. I haven't set up an npm/pnpm environment to test this, but I wanted to share a few thoughts, and see if you can test something.

    I doubt the encoding is an issue.

    Idea 1: Different API Endpoints

    There are two vulnerability APIs, and I think one is kind of deprecated? Anyway ProGet has never implemented that one.

    If you haven't already, I'd make sure pnpm is calling the same endpoint.

    Idea 2: Null Severity

    In the example you provided, severity is only set on one of the three items. If this is the problem, then it would mean that pnpm is erroring when processing the resultset.

    This will be trivial to verify: can you (temporarily) override the assessment of PGV-262413Y and PGV-262413X to be Contain? Then, run it again. You should see a "critical" serverity in the results then.

    That being said, this is a bug. These vulnerabilities should be suppressed and not show up in the results at all; we'll fix that via PG-3317.

    Idea 3: Nonnumeric Id

    The other possibility; ProGet is using a string identifier, but npm is using an integer identifier. I suspect that npm used to do CVEs that field, but who knows. None of this is documented.

    I'm not really sure how how test this without some kind of proxy/MITM interception, or reverse-engineering their source code.

    Maybe this is a GitHub issue on the pnpm repository?

    Thanks,
    Steve

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation