Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent blowing up on audit malformed response #42

Merged
merged 4 commits into from
Aug 20, 2018
Merged

Conversation

framp
Copy link
Contributor

@framp framp commented Aug 8, 2018

npm is failing our builds with:

npm ERR! Cannot read property 'totalDependencies' of undefined

which it's coming out of auditing

There must be something wrong in whatever code is generating the response - this only prevents blowing up a valid installation because of this.

@framp framp requested a review from a team as a code owner August 8, 2018 16:23
Copy link
Contributor

@ljharb ljharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More defensive programming in general would help use with things like artifactory, that may not meet the CLI’s implicit assumptions about data format.

@zkat zkat added semver:patch semver patch level for changes security labels Aug 9, 2018
Copy link
Contributor

@zkat zkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems fine, but I'd like to have a warning if metadata is missing like this. There's definitely a bug in our services somewhere if that happens (or in npm-audit-report, so I'd like to make sure we don't just hide the problem.

@@ -834,7 +834,7 @@ Installer.prototype.printInstalledForHuman = function (diffs, auditResult) {
if (removed) actions.push('removed ' + packages(removed))
if (updated) actions.push('updated ' + packages(updated))
if (moved) actions.push('moved ' + packages(moved))
if (auditResult && auditResult.metadata.totalDependencies) {
if (auditResult && auditResult.metadata && auditResult.metadata.totalDependencies) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is missing, there's definitely an issue with the endpoint. I'd rather spit out a warning here if this happens, so we can make sure to track it down. In the future, it might also be good to have npm-audit-report verify the data we get from the server and warn accordingly, and we can remove the warning from lib/install.js at that point.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There could also be a bug in a non-npm registry - like artifactory - if they implemented audit support but did it incorrectly?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, the intention is also to cover non-npm registries, but I didn't think this was necessarily an artifactory issue. If so, then yeah, they should fix their stuff.

@framp
Copy link
Contributor Author

framp commented Aug 14, 2018

I added a warn using npmlog - hope I didn't miss some internal conventions

Copy link
Contributor

@zkat zkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM

I poked at it a little, but this works :)

@zkat zkat changed the base branch from latest to release-next August 20, 2018 22:28
Copy link
Contributor

@zkat zkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks awesome. Thank you!

@zkat zkat merged commit 8d1b322 into npm:release-next Aug 20, 2018
zkat pushed a commit that referenced this pull request Aug 20, 2018
antongolub pushed a commit to antongolub-forks/npm-cli that referenced this pull request May 18, 2024
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
semver:patch semver patch level for changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants