Comments (7)
wraithgar
commented on September 26, 2024
1
const p = pacote.packument(name, { ...this[_options] })
Ah, good find. It's this module that's fetching the packument. This module needs to normalize it with @npmcli/package-json#normalize. It's intended to accept a package.json not a full packument so it'll need to normalize each version before processing.
from metavuln-calculator.
wraithgar
commented on September 26, 2024
The package.json that this module gets has been passed through a normalize function. It is not intended to get the un-normalized package.json. This is why it is making the assumption that if bundleDependencies exists it is an array.
Do you have steps to reproduce that aren't manually changing a test file?
from metavuln-calculator.
jinganix
commented on September 26, 2024
We get the issue when retrieve packages from cloudsmith repo, it seems cloudsmith doesn't convert bundleDependencies: true to bundleDependencies: [...] in the response. The npm audit works before node 14 in our repo, and fails from node 16. It's hard to make a standalone demo.
from metavuln-calculator.
jinganix
commented on September 26, 2024
We are using node 18.14.2 and npm 9.6.3, the package-json version is 3.0.0. The package-json doesn't have a normalize.js in the release zip file. I will try with node 18.17.1.
from metavuln-calculator.
jinganix
commented on September 26, 2024
It still fails in 18.17.1. I found in this line:
metavuln-calculator/lib/index.js
Line 55 in fd9e345
packument.versions has many versions, some of them has bundleDependencies: true
It seems npm registry will convert bundleDependencies: true to bundleDependencies: [...], but cloudsmith won't. Is the convertion a standard rule that registries should follow?
from metavuln-calculator.
wraithgar
commented on September 26, 2024
If the cloudsmith registry is returning the bundleDependencies: true but npm itself is not normalizing that before audit, then it's inside npm itself not this module. The fix needs to happen in the audit workflow in either npm or arborist.
from metavuln-calculator.
jinganix
commented on September 26, 2024
It still fails in
18.17.1. I found in this line:metavuln-calculator/lib/index.js
Line 55 in fd9e345
packument.versionshas many versions, some of them hasbundleDependencies: trueIt seems npm registry will convert
bundleDependencies: truetobundleDependencies: [...], butcloudsmithwon't. Is the convertion a standard rule that registries should follow?
The request to cloudsmith is in this module:
metavuln-calculator/lib/index.js
Line 109 in fd9e345
The response with bundleDependencies: true is:
metavuln-calculator/lib/index.js
Line 121 in fd9e345
Should I raise the issue in https://github.com/npm/cli?
from metavuln-calculator.
Related Issues (9)
- [FEATURE] skip prereleases if possible
- [BUG] Cannot convert undefined or null to object when running security advisory HOT 5
- [FEATURE] do metavulnerability calculation in worker thread HOT 1
- [BUG] `npm i` fails during audit
- [BUG] cannot convert undefined or null to object
- Cannot convert undefined or null to object HOT 16
- [BUG] Cannot convert undefined or null to object in case of installing a dependency from github HOT 6
- [BUG] v1.1.1: TypeError: semver.simplifyRange is not a function HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from metavuln-calculator.