Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] NPM doesn't complain about malformed JSON in package-lock file #4844

Closed
2 tasks done
micah-press opened this issue May 3, 2022 · 2 comments
Closed
2 tasks done

[BUG] NPM doesn't complain about malformed JSON in package-lock file #4844

micah-press opened this issue May 3, 2022 · 2 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release

Comments

@micah-press
Copy link

micah-press commented May 3, 2022
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

The artifacts of a merge conflict (<<<< HEAD, ||||, ====, >>>>> <hash>) in a package-lock.json file were accidentally committed to my repository. Running npm ci succeeded with no issues, even though the version and integrity fields were duplicated in a JSON object, and non-JSON compliant text was present.

Expected Behavior

If the JSON in a package-lock.json file is malformed, I expect npm ci to exit with a non-zero exit code. That is the behavior of NPM v6.14.16, but not NPM v7 or v8.

Steps To Reproduce

  1. In this environment, with this zip file extracted into an empty folder (contains a minimal package.json and package-lock.json to reproduce the bug).
  2. With this config, using any NPM version more recent than 7.0.0.
  3. Run npm ci.
  4. And see that no error is reported.
  5. If you install NPM < 7.0.0, like 6.14.16, running npm ci does throw an error.

Environment

  • npm: 8.5.1 (present starting in 7.0.0 up to 8.8.0)
  • Node.js: 14.19.1
  • OS Name: Ubuntu 20.04.4
  • System Model Name: Dell Precision 7560
  • npm config:
; "user" config from $HOME/.npmrc

(obfuscated):registry = "https://npm.pkg.github.com" 
//npm.pkg.github.com/:_authToken = (protected) 

; node bin location = /usr/bin/node
; cwd = $HOME/playground/npm-test
; HOME = /home/(user)
; Run `npm config ls -l` to show all defaults.
@micah-press micah-press added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels May 3, 2022
@wraithgar
Copy link
Member

This was a feature introduced in npm@7. It is intentional. When the shrinkwrap is read from, it uses https://github.com/npm/parse-conflict-json and these conflicts are resolved. Previously folks were using https://github.com/npm/npm-merge-driver but the resolution logic was moved into npm itself.

@cjones26
Copy link

@wraithgar -- you say that this resolution logic was moved into npm itself..can you elaborate more about the appropriate process for managing lockfiles? I don't see anything in the documentation about it since v6, here: https://docs.npmjs.com/cli/v6/configuring-npm/package-locks#resolving-lockfile-conflicts.

@snyk-io snyk-io bot mentioned this issue Oct 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wraithgar @cjones26 @micah-press