Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent blowing up on audit malformed response #42

Merged
merged 4 commits into from Aug 20, 2018
Merged

Conversation

@framp
Copy link
Contributor

@framp framp commented Aug 8, 2018

npm is failing our builds with:

npm ERR! Cannot read property 'totalDependencies' of undefined

which it's coming out of auditing

There must be something wrong in whatever code is generating the response - this only prevents blowing up a valid installation because of this.

@framp framp requested a review from as a code owner Aug 8, 2018
ljharb
ljharb approved these changes Aug 8, 2018
Copy link
Collaborator

@ljharb ljharb left a comment

More defensive programming in general would help use with things like artifactory, that may not meet the CLI’s implicit assumptions about data format.

Copy link
Contributor

@zkat zkat left a comment

This seems fine, but I'd like to have a warning if metadata is missing like this. There's definitely a bug in our services somewhere if that happens (or in npm-audit-report, so I'd like to make sure we don't just hide the problem.

@@ -834,7 +834,7 @@ Installer.prototype.printInstalledForHuman = function (diffs, auditResult) {
if (removed) actions.push('removed ' + packages(removed))
if (updated) actions.push('updated ' + packages(updated))
if (moved) actions.push('moved ' + packages(moved))
if (auditResult && auditResult.metadata.totalDependencies) {
if (auditResult && auditResult.metadata && auditResult.metadata.totalDependencies) {
Copy link
Contributor

@zkat zkat Aug 13, 2018

If this is missing, there's definitely an issue with the endpoint. I'd rather spit out a warning here if this happens, so we can make sure to track it down. In the future, it might also be good to have npm-audit-report verify the data we get from the server and warn accordingly, and we can remove the warning from lib/install.js at that point.

Copy link
Collaborator

@ljharb ljharb Aug 13, 2018

There could also be a bug in a non-npm registry - like artifactory - if they implemented audit support but did it incorrectly?

Copy link
Contributor

@zkat zkat Aug 13, 2018

yes, the intention is also to cover non-npm registries, but I didn't think this was necessarily an artifactory issue. If so, then yeah, they should fix their stuff.

@framp
Copy link
Contributor Author

@framp framp commented Aug 14, 2018

I added a warn using npmlog - hope I didn't miss some internal conventions

zkat
zkat approved these changes Aug 14, 2018
Copy link
Contributor

@zkat zkat left a comment

👍 LGTM

I poked at it a little, but this works :)

@zkat zkat changed the base branch from latest to release-next Aug 20, 2018
zkat
zkat approved these changes Aug 20, 2018
Copy link
Contributor

@zkat zkat left a comment

Everything looks awesome. Thank you!

@zkat zkat merged commit 8d1b322 into npm:release-next Aug 20, 2018
2 checks passed
2 checks passed
@travis-ci[bot]
Travis CI - Pull Request Build Passed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
zkat added a commit that referenced this issue Aug 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants