there's no guarantee that a query to a CVE Services API in AWS will have a response with the application/json content type. In recent and realistic cases, the response can instead have:
Content-type: text/html
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>
(for example, this was seen in production 2023-02-12T21:01Z)
For the text/html content type, Axios won't create a JavaScript object, and accessing the cveRecords property will fail.
To resolve this, one possibility is to read the cveRecords property only if the content type is application/json. (It is also realistic for the cveRecords property to be missing when the content type is application/json but the status is 429 - as shown in https://github.com/CVEProject/cve-services/issues/885 - but this perhaps has not occurred in recent months.)
In https://raw.githubusercontent.com/CVEProject/cvelistV5/main/.github/workflows/dist/index.js at dbd65c7934b08d8c45e57ea7104615a164fbcfd3
there's no guarantee that a query to a CVE Services API in AWS will have a response with the application/json content type. In recent and realistic cases, the response can instead have:
(for example, this was seen in production 2023-02-12T21:01Z)
For the text/html content type, Axios won't create a JavaScript object, and accessing the cveRecords property will fail.
There was a request for the CVE Services API documentation to mention that text/html may occur, but there was no action on this request: https://github.com/CVEProject/cve-services/issues/549
To resolve this, one possibility is to read the cveRecords property only if the content type is application/json. (It is also realistic for the cveRecords property to be missing when the content type is application/json but the status is 429 - as shown in https://github.com/CVEProject/cve-services/issues/885 - but this perhaps has not occurred in recent months.)