-1

you probably know the npm-audit tool which informs you about vulns in your node.js projects dependencies. I'd like to know what database npm-audit is using and how I get access to this data.

Thank you :)

pinas
  • 161
  • 8

2 Answers2

1

As of Oct 7 2021, npm audit relies on GitHub Advisory Database: GitHub Advisory Database now powers npm audit.

Laurel
  • 129
  • 7
Quinn Dougherty
  • 11
  • 1
0

I hadn't heard of this tool before, but a quick search lead me to the documentation:

The npm audit command submits a description of the dependencies configured in your package to your default registry and asks for a report of known vulnerabilities.

So it looks like the information you are interested in is stored in the package registry, maintained by npm. You may be able to discover vulnerable packages programmatically by searching the registry information through the website or otherwise. You can also see a list of advisories here. The nsp-advisories-api is a slightly dated library that appears to be designed for querying this information, if that is what you are looking for, as the question doesn't exactly specify how the information should be accessed or in what format.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Hi - thank you. Yes you are right I forgot to mention what I already found out :) I do know the advisories page and the api. I'd like to have access to the raw data because I want to do some different analytics on this data, vuln. info about specific packages are not too interesting for me right now. Thank you – pinas Jul 13 '19 at 16:37