parser.js fails with TypeError: Cannot convert undefined or null to object

[erikgreen-x]

npm-audit-ci-wrapper is failing on parser.js:

$ npm-audit-ci-wrapper --threshold=moderate --ignore-dev-dependencies --whitelist=tar:4.4.1 --whitelist=eslint-utils:1.4.0 --whitelist=handlebars --whitelist=acorn/usr/local/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:43
    let advisories = Object.entries(data.advisories);
                            ^

TypeError: Cannot convert undefined or null to object
    at Function.entries (<anonymous>)
    at parse_audit_results (/usr/local/lib/node_modules/npm-audit-ci-wrapper/lib/parser.js:43:29)
    at ChildProcess.audit_proc.on (/usr/local/lib/node_modules/npm-audit-ci-wrapper/bin/index.js:58:35)
    at ChildProcess.emit (events.js:198:13)
    at maybeClose (internal/child_process.js:982:16)
    at Socket.stream.socket.on (internal/child_process.js:389:11)
    at Socket.emit (events.js:198:13)
    at Pipe._handle.close (net.js:606:12)

[InfoSec812]

@erikgreen-x Thanks for the report. Please provide a reproducing package.json and I will see what I can figure out.

[erikgreen-x]

Thanks for the quick response. Here's the offending package.json:

{ "name": "***", "version": "0.1.0", "private": true, "homepage": "/***/", "dependencies": { "aws-amplify": "^1.1.28", "bootstrap": "^4.3.1", "history": "^4.9.0", "jquery": "^3.4.0", "lodash": "^4.17.14", "react": "^16.8.6", "react-dom": "^16.8.6", "react-json-view": "^1.19.1", "react-popper": "^1.3.3", "react-router-bootstrap": "^0.25.0", "react-router-dom": "^5.0.0", "react-scripts": "^3.3.0", "reactstrap": "^8.0.0", "typescript": "^3.4.4" }, "scripts": { "start": "react-scripts start", "build": "react-scripts build", "test": "react-scripts test", "eject": "react-scripts eject", "build:dev": "REACT_APP_STAGE=dev npm run build", "build:staging": "REACT_APP_STAGE=staging npm run build", "build:prod": "REACT_APP_STAGE=prod npm run build", "deploy:dev": "***", "deploy:staging": "***", "deploy:prod": "***" }, "eslintConfig": { "extends": "react-app" }, "browserslist": [ ">0.2%", "not dead", "not ie <= 11", "not op_mini all" ], "devDependencies": { "enzyme": "^3.10.0", "enzyme-adapter-react-16": "^1.14.0", "react-test-renderer": "^16.8.6", "jest": "24.9.0" } }

[InfoSec812]

@erikgreen-x I think that it's just a usage error... npm audit requires that you have already run npm install and that there is a package-lock.json file in the root of the project. Without that, npm audit fails to run.

Try running npm install in your project and then re-run npm-audit-ci-wrapper.

[InfoSec812]

I have added an issue (#50) to output a more useful error for the future

[erikgreen-x]

Hmmm, this failed in my CI/CD pipeline where I'm definitely doing an install first. However, when I tested it on the command line, I did not get this error after doing an install first. I'm re-running my build from the pipeline to see if I continue to get the error.

[erikgreen-x]

Very strange. I re-ran my CI/CD pipeline and this time, instead of getting the error above, I received a clear audit error on a particular package. I white-listed the package and the pipeline ran fine. ¯_(ツ)_/¯

Thanks for your help.

[InfoSec812]

@erikgreen-x I have seen that happen sometimes when the npm audit web service is "stressed" or if you have run too many npm requests in a given time period. The first is VERY annoying and there is nothing I can do about it. The second can be mitigated by using an artifact repository like Nexus and running all NPM requests through that instead.