Unmet peer deps prevent building an SBOM

[alexthemark]

Hi -- loving the Typescript rewrite here. I'm having some pretty good results running this on my monorepo, and gathering all the package data together.

However, the build is failing due to an unmet peer dependency. npm ls causes this failure per npm/npm#17624 and https://github.com/CycloneDX/cyclonedx-node-npm/blob/1.0-dev/src/builders.ts#L141-L150.

I'm not worried about this unmet peer dependency -- I know it's just a silly library that hasn't updated its peer deps to say it supports React 18. But it causes me to be unable to generate an SBOM here. If I remove the error throwing from your package, I believe I still get an accurate SBOM, since it uses the deduped dependencies.

Is this desired behavior? Or could this be a warn in the build instead of an error that prevents building an SBOM?

[jkowalleck]

I am thinking of a cli switch to suppress/ignore errors from npm ls

Therefore it might help to have your use case as a reproducible example somehow.
Could you share your npm lock file or point me to a setup where this behavior can be seen?

[alexthemark]

The repo i've been using is private but I created a minimal example at https://github.com/alexthemark/example-unmet-peer-dep. If you clone that, run npm install, and run npm run build:bom, you should see the error.

Interestingly, if I have a global install of cyclonedx-npm and I run cyclonedx-npm --output-file=bom.json from the command line, it will display the same error, but will not throw the error that fails the entire script. I see the error, but the script will continue to run and write bom.json. I'm not sure what's causing the difference (and I'm on a mac in case that might change things). <- this was untrue, my debugging just got in the way

[alexthemark]

Adding to the above, when I run npm run build:bom I receive the following fatal error:

npm run build:bom                           

> example-amplify-app@1.0.0 build:bom
> cyclonedx-npm --output-file=bom.json

DEBUG | options: {"packageLockOnly":false,"omit":[],"flattenComponents":false,"specVersion":"1.4","outputFormat":"JSON","outputFile":"bom.json","mcType":"application"}
DEBUG | packageFile: /Users/code/example-amplify-app/package.json
DEBUG | projectDir: /Users/code/example-amplify-app
DEBUG | lockFile: /Users/code/example-amplify-app/package-lock.json
INFO  | gather dependency tree ...
DEBUG | npm-ls: run /opt/homebrew/lib/node_modules/npm/bin/npm-cli.js with ["ls","--json","--all","--long"] in /Users/code/example-amplify-app
WARN  | npm-ls: STDERR
  npm ERR! code ELSPROBLEMS
  npm ERR! invalid: react@18.2.0 /Users/code/example-amplify-app/node_modules/react
  {
    "error": {
      "code": "ELSPROBLEMS",
      "summary": "invalid: react@18.2.0 /Users/code/example-amplify-app/node_modules/react",
      "detail": ""
    }
  }
  
  npm ERR! A complete log of this run can be found in:
  npm ERR!     /Users/.npm/_logs/2022-08-29T17_45_07_711Z-debug-0.log
  
ERROR | npm-ls: errors
  {}
/Users/code/example-amplify-app/node_modules/@cyclonedx/cyclonedx-npm/dist/builders.js:80
            throw new Error(`npm-ls exited with errors: ${error.errno ?? '???'} ${error.code ?? npmLsReturns.status ?? 'noCode'} ${error.signal ?? npmLsReturns.signal ?? 'noSignal'}`);
            ^

Error: npm-ls exited with errors: ??? 1 noSignal
    at BomBuilder.fetchNpmLs (/Users/code/example-amplify-app/node_modules/@cyclonedx/cyclonedx-npm/dist/builders.js:80:19)
    at BomBuilder.buildFromLockFile (/Users/code/example-amplify-app/node_modules/@cyclonedx/cyclonedx-npm/dist/builders.js:43:41)
    at Object.run (/Users/code/example-amplify-app/node_modules/@cyclonedx/cyclonedx-npm/dist/cli.js:97:19)
    at Object.<anonymous> (/Users/code/example-amplify-app/node_modules/@cyclonedx/cyclonedx-npm/bin/cyclonedx-npm-cli.js:2:27)
    at Module._compile (node:internal/modules/cjs/loader:1097:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1151:10)
    at Module.load (node:internal/modules/cjs/loader:975:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
    at node:internal/main/run_main_module:17:47

Node.js v17.6.0

[jkowalleck]

tried to install https://github.com/alexthemark/example-unmet-peer-dep
via npm ci

got an error straight away

Click to expand the error mesage

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: react-dom@17.0.2
npm ERR! Found: react@18.2.0
npm ERR! node_modules/react
npm ERR!   react@"^18.2.0" from the root project
npm ERR!   peer react@">= 16.8.0" from @aws-amplify/ui-react@3.4.1
npm ERR!   node_modules/@aws-amplify/ui-react
npm ERR!     @aws-amplify/ui-react@"^3.4.1" from the root project
npm ERR!   14 more (@aws-amplify/ui-react-v1, @radix-ui/react-presence, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react@"17.0.2" from react-dom@17.0.2
npm ERR! node_modules/react-dom
npm ERR!   peer react-dom@">= 16.8.0" from @aws-amplify/ui-react@3.4.1
npm ERR!   node_modules/@aws-amplify/ui-react
npm ERR!     @aws-amplify/ui-react@"^3.4.1" from the root project
npm ERR!   peer react-dom@"^16.8 || ^17.0" from @radix-ui/react-dropdown-menu@0.1.6
npm ERR!   node_modules/@aws-amplify/ui-react/node_modules/@radix-ui/react-dropdown-menu
npm ERR!     @radix-ui/react-dropdown-menu@"0.1.6" from @aws-amplify/ui-react@3.4.1
npm ERR!     node_modules/@aws-amplify/ui-react
npm ERR!       @aws-amplify/ui-react@"^3.4.1" from the root project
npm ERR!   3 more (@radix-ui/react-menu, @radix-ui/react-portal, @aws-amplify/ui-react-v1)
npm ERR! 
npm ERR! Conflicting peer dependency: react@17.0.2
npm ERR! node_modules/react
npm ERR!   peer react@"17.0.2" from react-dom@17.0.2
npm ERR!   node_modules/react-dom
npm ERR!     peer react-dom@">= 16.8.0" from @aws-amplify/ui-react@3.4.1
npm ERR!     node_modules/@aws-amplify/ui-react
npm ERR!       @aws-amplify/ui-react@"^3.4.1" from the root project
npm ERR!     peer react-dom@"^16.8 || ^17.0" from @radix-ui/react-dropdown-menu@0.1.6
npm ERR!     node_modules/@aws-amplify/ui-react/node_modules/@radix-ui/react-dropdown-menu
npm ERR!       @radix-ui/react-dropdown-menu@"0.1.6" from @aws-amplify/ui-react@3.4.1
npm ERR!       node_modules/@aws-amplify/ui-react
npm ERR!         @aws-amplify/ui-react@"^3.4.1" from the root project
npm ERR!     3 more (@radix-ui/react-menu, @radix-ui/react-portal, @aws-amplify/ui-react-v1)
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /.../.npm/eresolve-report.txt for a full report.
npm ERR! A complete log of this run can be found in:

npm ERR!     /.../.npm/_logs/2022-09-06T12_15_07_227Z-debug-0.log

---

install via npm ci --force of cause worked.
but it resulted in a state where even npm ls was unable to get the tree without errors.
but even though it errored out, npm ls --json -a -l still echoed usable JSON.

this means, that possibley a switch ala --ignore-npm-errors might be affective, that ignores npm-ls error status and still would cause to try parse the JSON.

[alexthemark]

Yep -- that would be perfect. Obviously I wish that I didn't have unmet peer deps and npm ls errors, but I'm tied to a library tied to a library. And I'd rather have npm ls errors and an SBOM than npm ls errors and no SBOM.

[alexthemark]

I'm happy to contribute that flag, or wait for a fix.

[jkowalleck]

I am already on it :)

[alexthemark]

Thank you!! My repository is now successfully building its sbom!