Skip to content

npm finding for local package on package-lock.lock - false positive? #2881

Description

@nirhaas

Hi. I ran osv-scanner on a databricks/app-template template and encountered a potential false positive match.

The project's package-lock.json includes a package which is a link to a local path.

    "node_modules/@chat-template/auth": {
      "resolved": "packages/auth",
      "link": true
    },

However, osv-scanner flags this against MAL-2026-5124, which is a malicious package advisory intended for the @chat-template/auth npm registry package (no longer available apparently).

Considering the package is a link to a local directory, and not the npm package - I think this is a false positive.

Possible related issues:
#1861
google/osv-scalibr#808

Thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions