Closed erikgreen-x closed 4 years ago
@erikgreen-x Would you provide the dependencies and dev dependencies portions of your package.json so that I can try to debug?
@erikgreen-x I tried creating a project with tar:4.4.1
and ran npm-audit-ci-wrapper
, with and without a threshold lower than CRITICAL, and I cannot reproduce this error. Could you also relate which version of Node/NPM you are using?
Dependencies:
"dependencies": {
"aws-amplify": "^1.1.28",
"bootstrap": "^4.3.1",
"history": "^4.9.0",
"jquery": "^3.4.0",
"react": "^16.8.6",
"react-dom": "^16.8.6",
"react-popper": "^1.3.3",
"react-router-bootstrap": "^0.25.0",
"react-router-dom": "^5.0.0",
"react-scripts": "2.1.8",
"reactstrap": "^8.0.0",
"typescript": "^3.4.4"
Dev dependencies:
"devDependencies": {
"enzyme": "^3.10.0",
"enzyme-adapter-react-16": "^1.14.0",
"jest": "^23.6.0",
"react-test-renderer": "^16.8.6"
}
Node version:
$ node --version
v10.16.3
NPM version:
$ npm --version
6.12.0
We saw this earlier today in our CI at 9:30AM Pacific (oss-swagger-editor-security-audit-npm #138), but it was resolved in our afternoon run at 4:30PM (oss-swagger-editor-security-audit-npm #139) without any changes on our side.
Perhaps this is an intermittent error affecting npm's data that is fed into npm-audit-ci-wrapper
?
@erikgreen-x As best I can tell, it was a transient issue with the web service. I cannot reproduce this error.
npm-audit-test🎩 npm-audit-ci-wrapper -t moderate --ignore-dev-dependencies
The following production vulnerabilities are moderate severity or higher:
┌───────────┬──────────┬──────────────────────────────────────┐
│ module │ severity │ overview │
├───────────┼──────────┼──────────────────────────────────────┤
│ tar@4.4.1 │ high │ https://www.npmjs.com/advisories/803 │
└───────────┴──────────┴──────────────────────────────────────┘
I have seen (several) times where the NPM Audit web service is unresponsive. When this happens, the results of this application are unpredictable.
We have also seen the transient npm audit issues. However, I ran npm-audit-ci-wrapper on other code before and after and they did not have this issue. I'll try to re-run this periodically to see if it resolves itself.
@erikgreen-x I don't want to dismiss your concern. Is the project up in the public somewhere I could download the entire project? Also, are you overriding the default registry anywhere?
@erikgreen-x Another possible option is for you to run npm audit --json
and shoot the output over to me.
I've just emailed you the JSON output.
Sorry, I just saw your other comment above. Unfortunately, this is not a public project. We do add a private repo in ~/.npmrc, but that is only for one package developed internally.
@erikgreen-x I tried an integration test with the JSON output which you e-mailed to me and did not see any errors. Could you try running the command without your custom registry and see if that makes a difference?
I'm sorry, I made a mistake. We are developing several small tools as part of a larger application. The one that is blowing up on npm-audit-ci-wrapper does not have a dependency on anything from our private repo. In fact, at least for some of the tools using a package from our private repo, npm-audit-ci-wrapper is working fine. Sorry for the confusion.
@erikgreen-x Let's try another possibility... Try deleting your package-lock.json
and then running npm install
, and finally re-run npm-audit-ci-wrapper
.
No dice:
$ rm package-lock.json
$ npm install
$ npm-audit-ci-wrapper -t moderate --ignore-dev-dependencies
undefined:11884
"react-scripts>@svgr/webpack>@babel/preset-env>@babel/plugin-transform-exponentiation-operator>@babel/helper-builder-binary-assignment-operator-visitor>@babel/helper-explode-assign
SyntaxError: Unexpected end of JSON input
at JSON.parse (<anonymous>)
at parse_audit_results (/usr/local/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:31:21)
at exec (/usr/local/lib/node_modules/npm-audit-ci-wrapper/bin/index.js:44:36)
at ChildProcess.exithandler (child_process.js:301:5)
at ChildProcess.emit (events.js:198:13)
at maybeClose (internal/child_process.js:982:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)
AHA! I know THAT problem! The command execution for npm audit --json
has
a limit on the size of the returned data. Your data is larger than the
buffer size. I will take a look at patching it to increase the size or
figure out a way to do without a size restriction altogether.
Cheers,
Deven
On Tue, Oct 22, 2019 at 5:06 PM Erik Green notifications@github.com wrote:
No bones:
$ rm package-lock.json $ npm install $ npm-audit-ci-wrapper -t moderate --ignore-dev-dependencies undefined:11884 "react-scripts>@svgr/webpack>@babel/preset-env>@babel/plugin-transform-exponentiation-operator>@babel/helper-builder-binary-assignment-operator-visitor>@babel/helper-explode-assign
SyntaxError: Unexpected end of JSON input at JSON.parse (
) at parse_audit_results (/usr/local/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:31:21) at exec (/usr/local/lib/node_modules/npm-audit-ci-wrapper/bin/index.js:44:36) at ChildProcess.exithandler (child_process.js:301:5) at ChildProcess.emit (events.js:198:13) at maybeClose (internal/child_process.js:982:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5) — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/InfoSec812/npm-audit-ci-wrapper/issues/41?email_source=notifications&email_token=AAAYK23IKKE2MEHTOYBJ5S3QP5TOPA5CNFSM4JCNDPH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB7GT2Q#issuecomment-545155562, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAYK2Z5ZHOT22XI4T4BPZDQP5TOPANCNFSM4JCNDPHQ .
--
Deven Phillips
Senior Consulting Engineer, Solution & Technology Practice
Red Hat https://www.redhat.com/
deven.phillips@redhat.com M: 8129685717 https://red.ht/sig
I initially suspected it was something like that. Glad you figured it out!
@erikgreen-x Version 2.4.0 should be hitting the NPM registries in a few minutes... Please give it a try and let me know if it is working more reliably for you.
That fixed it. I'm getting proper output now:
$ npm-audit-ci-wrapper --threshold=moderate --ignore-dev-dependencies
The following production vulnerabilities are moderate severity or higher:
┌────────────────────┬──────────┬───────────────────────────────────────┐
│ module │ severity │ overview │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ tar@4.4.1 │ high │ https://www.npmjs.com/advisories/803 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ axios@0.17.1 │ moderate │ https://www.npmjs.com/advisories/880 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ set-value@2.0.0 │ high │ https://www.npmjs.com/advisories/1012 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ mixin-deep@1.3.1 │ high │ https://www.npmjs.com/advisories/1013 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ lodash@4.17.11 │ high │ https://www.npmjs.com/advisories/1065 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ eslint-utils@1.3.1 │ critical │ https://www.npmjs.com/advisories/1118 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ handlebars@4.1.2 │ high │ https://www.npmjs.com/advisories/1164 │
└────────────────────┴──────────┴───────────────────────────────────────┘
Excellent! Thanks for the feedback and issue report!
npm-audit-ci-wrapper is crashing with a TypeError.
The following is the command I am executing with the error:
If I whitelist the tar package and execute the following command it works: