New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit doesn't work with aliased packages #7015

Open
calvinli opened this Issue Feb 8, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@calvinli
Copy link

calvinli commented Feb 8, 2019

Do you want to request a feature or report a bug?

bug

What is the current behavior?
On certain packages (those with aliased dependencies) yarn audit gives this fatal error:

$ yarn audit
yarn audit v1.13.0
error An unexpected error occurred: "Unexpected audit response (Missing Metadata): false".

(the false is another bug, the response from the NPM audit endpoint is actually Invalid package tree, run npm install to rebuild your package-lock.json)

If the current behavior is a bug, please provide the steps to reproduce.

I was able to get a minimal example of thispackage.json:

{
  "name": "yarn-alias-audit-poc",
  "version": "0.0.1",
  "main": "index.js",
  "private": true,
  "dependencies": {
    "left-pad-1": "npm:left-pad@1.3.0",
    "package-a": "file:./packageA/"
  }
}

where ./packageA/package.json is

{
  "name": "package-a",
  "private": true,
  "version": "0.0.1",
  "description": "example package",
  "dependencies": {
    "left-pad": "^1.3.0"
  }
}

Running yarn audit --verbose shows that the request payload is

verbose 0.481 Audit Request: {
  "name": "yarn-alias-audit-poc",
  "version": "0.0.1",
  "install": [],
  "remove": [],
  "metadata": {},
  "requires": {
    "left-pad-1": "npm:left-pad@1.3.0",
    "package-a": "file:./packageA"
  },
  "dependencies": {
    "left-pad-1": {
      "version": "1.3.0",
      "integrity": "sha1-W4o6d2Xf4AEmHd6RVYnngvjJTR4=",
      "requires": {},
      "dependencies": {}
    },
    "package-a": {
      "version": "0.0.1",
      "integrity": "",
      "requires": {
        "left-pad": "^1.3.0"
      },
      "dependencies": {}
    }
  }
}

notice the lack of any entry in dependencies for left-pad, this is apparently what causes the NPM audit endpoint to complain.

What is the expected behavior?

The payload sent to the NPM audit endpoint should probably be

{
  "name": "yarn-alias-audit-poc",
  "version": "0.0.1",
  "install": [],
  "remove": [],
  "metadata": {},
  "requires": {
    "left-pad": "1.3.0",
    "package-a": "file:./packageA"
  },
  "dependencies": {
    "left-pad": {
      "version": "1.3.0",
      "integrity": "sha1-W4o6d2Xf4AEmHd6RVYnngvjJTR4=",
      "requires": {},
      "dependencies": {}
    },
    "package-a": {
      "version": "0.0.1",
      "integrity": "",
      "requires": {
        "left-pad": "^1.3.0"
      },
      "dependencies": {}
    }
  }
}

i.e. with all aliased packages resolved to their real names.

The problem appears to be in getFlatHoistedTree because I notice yarn list has similar trouble:

$ yarn list
yarn list v1.13.0
├─ left-pad-1@1.3.0
└─ package-a@0.0.1
   └─ left-pad@^1.3.0
Done in 0.15s.

even though ./node_modules/ looks like

$ ls node_modules/
left-pad/  left-pad-1/  package-a/

Please mention your node.js, yarn and operating system version.
yarn: 1.13.0, node: 8.9.1, ubuntu 16.04

@heupr heupr bot assigned imsnif Feb 9, 2019

@heupr heupr bot added the triaged label Feb 9, 2019

@calvinli

This comment has been minimized.

Copy link
Author

calvinli commented Feb 11, 2019

Just realized I left out the yarn.lock contents in the description above:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


"left-pad-1@npm:left-pad@1.3.0", left-pad@^1.3.0:
  version "1.3.0"
  resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.3.0.tgz#5b8a3a7765dfe001261dde915589e782f8c94d1e"
  integrity sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==

"package-a@file:./packageA":
  version "0.0.1"
  dependencies:
    left-pad "^1.3.0"

It turns out a yarn audit on the package.json above with no yarn.lock (or even without a node_modules/) actually works just fine (it includes separate entries in dependencies for both left-pad-1 and left-pad).

Manually editing the yarn.lock file so it includes separate entries for left-pad-1 and left-pad also resolves the issue:

$ cat yarn.lock
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


"left-pad-1@npm:left-pad@1.3.0":
  version "1.3.0"
  resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.3.0.tgz#5b8a3a7765dfe001261dde915589e782f8c94d1e"
  integrity sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==

left-pad@^1.3.0:
  version "1.3.0"
  resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.3.0.tgz#5b8a3a7765dfe001261dde915589e782f8c94d1e"
  integrity sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==

"package-a@file:./packageA":
  version "0.0.1"
  dependencies:
    left-pad "^1.3.0"

$ yarn list   # note that this now correctly identifies `left-pad` as a hoisted package
yarn list v1.13.0
├─ left-pad-1@1.3.0
├─ left-pad@1.3.0
└─ package-a@0.0.1
   └─ left-pad@^1.3.0
Done in 0.16s.
$ yarn audit --verbose
yarn audit v1.13.0
<snip>
verbose 0.426 current time: 2019-02-11T22:09:39.772Z
verbose 0.497 Audit Request: {
  "name": "yarn-alias-audit-poc",
  "version": "0.0.1",
  "install": [],
  "remove": [],
  "metadata": {},
  "requires": {
    "left-pad-1": "npm:left-pad@1.3.0",
    "package-a": "file:./packageA"
  },
  "dependencies": {
    "left-pad-1": {
      "version": "1.3.0",
      "integrity": "sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==",
      "requires": {},
      "dependencies": {}
    },
    "package-a": {
      "version": "0.0.1",
      "integrity": "",
      "requires": {
        "left-pad": "^1.3.0"
      },
      "dependencies": {}
    },
    "left-pad": {
      "version": "1.3.0",
      "integrity": "sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==",
      "requires": {},
      "dependencies": {}
    }
  }
}
verbose 0.541 Performing "POST" request to "https://registry.yarnpkg.com/-/npm/v1/security/audits".
verbose 1.151 Request "https://registry.yarnpkg.com/-/npm/v1/security/audits" finished with status code 200.
verbose 1.153 Audit Response: <snip>
0 vulnerabilities found - Packages audited: 3
Done in 0.88s.

so this is possibly an issue with lockfile generation and/or parsing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment