crashing with TypeError

[erikgreen-x]

npm-audit-ci-wrapper is crashing with a TypeError.

The following is the command I am executing with the error:

$ npm-audit-ci-wrapper --threshold=moderate --ignore-dev-dependencies
/usr/local/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:42
    let advisories = Object.entries(data.advisories);
                            ^

TypeError: Cannot convert undefined or null to object
    at Function.entries (<anonymous>)
    at parse_audit_results (/usr/local/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:42:29)
    at exec (/usr/local/lib/node_modules/npm-audit-ci-wrapper/bin/index.js:44:36)
    at ChildProcess.exithandler (child_process.js:301:5)
    at ChildProcess.emit (events.js:198:13)
    at maybeClose (internal/child_process.js:982:16)
    at Socket.stream.socket.on (internal/child_process.js:389:11)
    at Socket.emit (events.js:198:13)
    at Pipe._handle.close (net.js:606:12)

If I whitelist the tar package and execute the following command it works:

$ npm-audit-ci-wrapper --threshold=moderate --ignore-dev-dependencies --whitelist=tar:4.4.1
The following production vulnerabilities are moderate severity or higher:
┌────────────────────┬──────────┬───────────────────────────────────────┐
│ module             │ severity │ overview                              │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ eslint-utils@1.4.0 │ critical │ https://www.npmjs.com/advisories/1118 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ handlebars@4.1.2   │ high     │ https://www.npmjs.com/advisories/1164 │
└────────────────────┴──────────┴───────────────────────────────────────┘

[InfoSec812]

@erikgreen-x Would you provide the dependencies and dev dependencies portions of your package.json so that I can try to debug?

[InfoSec812]

@erikgreen-x I tried creating a project with tar:4.4.1 and ran npm-audit-ci-wrapper, with and without a threshold lower than CRITICAL, and I cannot reproduce this error. Could you also relate which version of Node/NPM you are using?

[erikgreen-x]

Dependencies:

"dependencies": {
    "aws-amplify": "^1.1.28",
    "bootstrap": "^4.3.1",
    "history": "^4.9.0",
    "jquery": "^3.4.0",
    "react": "^16.8.6",
    "react-dom": "^16.8.6",
    "react-popper": "^1.3.3",
    "react-router-bootstrap": "^0.25.0",
    "react-router-dom": "^5.0.0",
    "react-scripts": "2.1.8",
    "reactstrap": "^8.0.0",
    "typescript": "^3.4.4"

Dev dependencies:

  "devDependencies": {
    "enzyme": "^3.10.0",
    "enzyme-adapter-react-16": "^1.14.0",
    "jest": "^23.6.0",
    "react-test-renderer": "^16.8.6"
  }

Node version:

$ node --version
v10.16.3

NPM version:

$ npm --version
6.12.0

[shockey]

We saw this earlier today in our CI at 9:30AM Pacific (oss-swagger-editor-security-audit-npm #138), but it was resolved in our afternoon run at 4:30PM (oss-swagger-editor-security-audit-npm #139) without any changes on our side.

Perhaps this is an intermittent error affecting npm's data that is fed into npm-audit-ci-wrapper?

[InfoSec812]

@erikgreen-x As best I can tell, it was a transient issue with the web service. I cannot reproduce this error.

npm-audit-test🎩 npm-audit-ci-wrapper -t moderate --ignore-dev-dependencies
The following production vulnerabilities are moderate severity or higher:
┌───────────┬──────────┬──────────────────────────────────────┐
│ module    │ severity │ overview                             │
├───────────┼──────────┼──────────────────────────────────────┤
│ tar@4.4.1 │ high     │ https://www.npmjs.com/advisories/803 │
└───────────┴──────────┴──────────────────────────────────────┘

I have seen (several) times where the NPM Audit web service is unresponsive. When this happens, the results of this application are unpredictable.

[erikgreen-x]

We have also seen the transient npm audit issues. However, I ran npm-audit-ci-wrapper on other code before and after and they did not have this issue. I'll try to re-run this periodically to see if it resolves itself.

[InfoSec812]

@erikgreen-x I don't want to dismiss your concern. Is the project up in the public somewhere I could download the entire project? Also, are you overriding the default registry anywhere?

[InfoSec812]

@erikgreen-x Another possible option is for you to run npm audit --json and shoot the output over to me.

[erikgreen-x]

I've just emailed you the JSON output.

[erikgreen-x]

Sorry, I just saw your other comment above. Unfortunately, this is not a public project. We do add a private repo in ~/.npmrc, but that is only for one package developed internally.

[InfoSec812]

@erikgreen-x I tried an integration test with the JSON output which you e-mailed to me and did not see any errors. Could you try running the command without your custom registry and see if that makes a difference?

[erikgreen-x]

I'm sorry, I made a mistake. We are developing several small tools as part of a larger application. The one that is blowing up on npm-audit-ci-wrapper does not have a dependency on anything from our private repo. In fact, at least for some of the tools using a package from our private repo, npm-audit-ci-wrapper is working fine. Sorry for the confusion.

[InfoSec812]

@erikgreen-x Let's try another possibility... Try deleting your package-lock.json and then running npm install, and finally re-run npm-audit-ci-wrapper.

[erikgreen-x]

No dice:

$ rm package-lock.json
$ npm install
$ npm-audit-ci-wrapper -t moderate --ignore-dev-dependencies
undefined:11884
            "react-scripts>@svgr/webpack>@babel/preset-env>@babel/plugin-transform-exponentiation-operator>@babel/helper-builder-binary-assignment-operator-visitor>@babel/helper-explode-assign

SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at parse_audit_results (/usr/local/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:31:21)
    at exec (/usr/local/lib/node_modules/npm-audit-ci-wrapper/bin/index.js:44:36)
    at ChildProcess.exithandler (child_process.js:301:5)
    at ChildProcess.emit (events.js:198:13)
    at maybeClose (internal/child_process.js:982:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)

[InfoSec812]

AHA! I know THAT problem! The command execution for npm audit --json has a limit on the size of the returned data. Your data is larger than the buffer size. I will take a look at patching it to increase the size or figure out a way to do without a size restriction altogether.

Cheers,

Deven

On Tue, Oct 22, 2019 at 5:06 PM Erik Green notifications@github.com wrote:

No bones:

$ rm package-lock.json $ npm install $ npm-audit-ci-wrapper -t moderate --ignore-dev-dependencies undefined:11884 "react-scripts>@svgr/webpack>@babel/preset-env>@babel/plugin-transform-exponentiation-operator>@babel/helper-builder-binary-assignment-operator-visitor>@babel/helper-explode-assign

SyntaxError: Unexpected end of JSON input at JSON.parse () at parse_audit_results (/usr/local/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:31:21) at exec (/usr/local/lib/node_modules/npm-audit-ci-wrapper/bin/index.js:44:36) at ChildProcess.exithandler (child_process.js:301:5) at ChildProcess.emit (events.js:198:13) at maybeClose (internal/child_process.js:982:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/InfoSec812/npm-audit-ci-wrapper/issues/41?email_source=notifications&email_token=AAAYK23IKKE2MEHTOYBJ5S3QP5TOPA5CNFSM4JCNDPH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB7GT2Q#issuecomment-545155562, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAYK2Z5ZHOT22XI4T4BPZDQP5TOPANCNFSM4JCNDPHQ .

--

Deven Phillips

Senior Consulting Engineer, Solution & Technology Practice

Red Hat https://www.redhat.com/

deven.phillips@redhat.com M: 8129685717 https://red.ht/sig

[erikgreen-x]

I initially suspected it was something like that. Glad you figured it out!

[InfoSec812]

@erikgreen-x Version 2.4.0 should be hitting the NPM registries in a few minutes... Please give it a try and let me know if it is working more reliably for you.

[erikgreen-x]

That fixed it. I'm getting proper output now:

$ npm-audit-ci-wrapper --threshold=moderate --ignore-dev-dependencies
The following production vulnerabilities are moderate severity or higher:
┌────────────────────┬──────────┬───────────────────────────────────────┐
│ module             │ severity │ overview                              │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ tar@4.4.1          │ high     │ https://www.npmjs.com/advisories/803  │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ axios@0.17.1       │ moderate │ https://www.npmjs.com/advisories/880  │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ set-value@2.0.0    │ high     │ https://www.npmjs.com/advisories/1012 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ mixin-deep@1.3.1   │ high     │ https://www.npmjs.com/advisories/1013 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ lodash@4.17.11     │ high     │ https://www.npmjs.com/advisories/1065 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ eslint-utils@1.3.1 │ critical │ https://www.npmjs.com/advisories/1118 │
├────────────────────┼──────────┼───────────────────────────────────────┤
│ handlebars@4.1.2   │ high     │ https://www.npmjs.com/advisories/1164 │
└────────────────────┴──────────┴───────────────────────────────────────┘

[InfoSec812]

Excellent! Thanks for the feedback and issue report!