We ran into an issue when a NPM package has a vulnerability, but an exception has been made to allow the package download. The example we have was static-eval
v 2.1.1
We have an exception on the PGV-2133354 vulnerability since it has been withdrawn.
npm audit
and npm install
fail because the severity level of the vulnerability with exception is info
which is not a supported level by NPM. the output from npm is:
npm ERR! undefined is not iterable (cannot read property Symbol(Symbol.iterator))
NPM Audit Severity Levels
And you can see in the NPM Audit code that it does not expect info
as a severity level
Output from ProGet npm/v1/security/advisories/bulk endpoint:
Right now we are NOT able to build with this package without disabling vulnerability detection, which is not permitted by corporate policy. How can we correct the output from ProGet so that npm will successfully build