big-npm: NPM Regex Bug Test Project

Purpose

This project exposes a critical bug in the npm package handler's regex matching logic.

The Bug

The npm handler searches for the resolved version from package-lock.json in the package.json file, but package.json typically contains semver ranges, not exact versions.

Example

package.json:

{
  "dependencies": {
    "axios": "^0.21.1"
  }
}

package-lock.json:

{
  "packages": {
    "node_modules/axios": {
      "version": "0.21.4"
    }
  }
}

What happens:

JFrog engine scans package-lock.json and finds vulnerability in [email protected]
Engine reports: ImpactedDependencyVersion = "0.21.4"
npm handler builds regex: \s*"axios"\s*:\s*"[~^]?0\.21\.4"
Searches package.json for: "axios": "0.21.4" or "axios": "^0.21.4" or "axios": "~0.21.4"
❌ NO MATCH! Because package.json has "axios": "^0.21.1"
Error: dependency 'axios' with version '0.21.4' not found in descriptor 'package.json' despite lock file evidence

Vulnerable Dependencies

This project contains the following vulnerable dependencies with semver ranges:

Package	package.json	Resolved in lock	Vulnerability
`axios`	`^0.21.1`	`0.21.4`	High (SSRF, DoS, CSRF)
`lodash`	`^4.17.19`	(check lock)	Various
`minimist`	`~1.2.5`	(check lock)	Various
`express`	`^4.17.0`	(check lock)	Various

The Fix

The regex should search by package name only, not by version:

Current (broken):

npmDependencyRegexpPattern = `\s*"%s"\s*:\s*"[~^]?%s"`
// Searches for: "axios": "[~^]?0.21.4"

Fixed (like Maven):

npmDependencyRegexpPattern = `\s*"%s"\s*:\s*"[^"]+"`
// Searches for: "axios": "<any version>"

Frequency

This bug affects ~85% of npm projects because:

✅ Most projects use semver ranges (^, ~, >=)
❌ Few projects pin exact versions

How to Test

# 1. Scan for vulnerabilities
npm audit

# 2. Run Frogbot (should fail with the regex bug)
frogbot scan-repository

# Expected error:
# "dependency 'axios' with version '0.21.4' not found in descriptor"

Comparison with Maven

Maven's implementation doesn't have this bug because it searches by artifact coordinates only:```go // Maven regex (your implementation) pattern := regexp.MustCompile( (?s)(<groupId> + regexp.QuoteMeta(groupId) + `\s*` + regexp.QuoteMeta(artifactId) + `\s*)[^<]+()` ) // Matches ANY version: [^<]+

Name		Name	Last commit message	Last commit date
Latest commit History 14 Commits
.gitattributes		.gitattributes
.gitignore		.gitignore
.licensee.json		.licensee.json
.mailmap		.mailmap
.release-please-manifest.json		.release-please-manifest.json
AUTHORS		AUTHORS
CHANGELOG.md		CHANGELOG.md
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
DEPENDENCIES.md		DEPENDENCIES.md
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
configure		configure
package-lock.json		package-lock.json
package.json		package.json
release-please-config.json		release-please-config.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

big-npm: NPM Regex Bug Test Project

Purpose

The Bug

Example

Vulnerable Dependencies

The Fix

Frequency

How to Test

Comparison with Maven

About

Uh oh!

Releases

Packages

Uh oh!

License

eyalk007/big-npm

Folders and files

Latest commit

History

Repository files navigation

big-npm: NPM Regex Bug Test Project

Purpose

The Bug

Example

Vulnerable Dependencies

The Fix

Frequency

How to Test

Comparison with Maven

About

Resources

License

Code of conduct

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Packages