search

NativeScript / nativescript-cli

Command-line interface for building NativeScript apps
https://www.npmjs.com/package/nativescript
Apache License 2.0
1.04k stars 195 forks source link

'npm audit' is broken since v6.3.0 #5274

Open NickSch1 opened 4 years ago

NickSch1 commented 4 years ago

Environment Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project):

Describe the bug Npm returns the following error when running npm audit on the cloned repo or any other project that has the nativescript cli 6.3.0+ in dependencies/devDependencies:

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
npm ERR! audit The server said: Invalid package tree, run  npm install  to rebuild your package-lock.json

Full log:

0 info it worked if it ends with ok
1 verbose cli [ '/Users/nsch/.nvm/versions/node/v10.16.0/bin/node',
1 verbose cli   '/Users/nsch/.nvm/versions/node/v10.16.0/bin/npm',
1 verbose cli   'audit' ]
2 info using npm@6.14.2
3 info using node@v10.16.0
4 verbose npm-session 889c098014892da6
5 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 480ms
6 verbose stack Error: Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
6 verbose stack The server said: Invalid package tree, run  npm install  to rebuild your package-lock.json
6 verbose stack     at Bluebird.all.spread.then.catch (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/lib/audit.js:204:18)
6 verbose stack     at tryCatcher (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
6 verbose stack     at Promise._settlePromiseFromHandler (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:517:31)
6 verbose stack     at Promise._settlePromise (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:574:18)
6 verbose stack     at Promise._settlePromise0 (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:619:10)
6 verbose stack     at Promise._settlePromises (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:695:18)
6 verbose stack     at _drainQueueStep (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:138:12)
6 verbose stack     at _drainQueue (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:131:9)
6 verbose stack     at Async._drainQueues (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:147:5)
6 verbose stack     at Immediate.Async.drainQueues [as _onImmediate] (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
6 verbose stack     at runCallback (timers.js:705:18)
6 verbose stack     at tryOnImmediate (timers.js:676:5)
6 verbose stack     at processImmediate (timers.js:658:5)
7 verbose cwd /Users/nsch/test/test-package
8 verbose Darwin 18.7.0
9 verbose argv "/Users/nsch/.nvm/versions/node/v10.16.0/bin/node" "/Users/nsch/.nvm/versions/node/v10.16.0/bin/npm" "audit"
10 verbose node v10.16.0
11 verbose npm  v6.14.2
12 error code ENOAUDIT
13 error audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
13 error audit The server said: Invalid package tree, run  npm install  to rebuild your package-lock.json
14 verbose exit [ 1, true ]

To Reproduce Add "nativescript": "6.3.0" to any project, run npm install with a clean node_modules folder & run npm audit. Or clone this repo and checkout to any version that is 6.3.0 or higher, run npm install and then run npm audit. On version 6.2.1 everything seems to be working.

Expected behavior Be able to see a normal npm audit output.

NickIliev commented 4 years ago

@NickSch1 try to update CLI to the latest version (6.4.1) - it works as expected on my side.

found 8 moderate severity vulnerabilities in 9434 scanned packages
  run `npm audit fix` to fix 3 of them.
  5 vulnerabilities require manual review. See the full report for details.
NickSch1 commented 4 years ago

I still have the problem for every version from 6.3.0 and upwards. Including 6.4.1.

The problem also happens when I'm using the following package.json containing just the cli:

{
  "name": "test-package",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "nativescript": "6.4.1"
  },
  "author": "",
  "license": "ISC"
}

As noted earlier when I use 6.2.1 npm audit works without any problems. I also tried version 6.5.0 and the problem still persists. I also tried installing with npm install --cache /tmp/empty-cache to make sure there werent any corrupted files in my npm cache.

NickSch1 commented 4 years ago

@NickIliev Could you provide your NPM & Node versions? Just to make sure it isn't an issue with the versions of Node I tried it with.

NickIliev commented 4 years ago 

D:\test\nativescript-foo-no-demo>npm --version
6.11.3

D:\test\nativescript-foo-no-demo>node --version
v10.15.0
NickSch1 commented 4 years ago

Thanks for the quick response! Sadly I still get the same issue with these versions.

roi-kol commented 4 years ago

I have the same problem My ver is 6.14.4

adrian-niculescu commented 4 years ago

This problem still persists:

$ nativescript --version
7.0.10
$ node --version
v14.14.0
$ npm --version
6.14.8

The cause seems to be having npm dependencies not specified by version, but via Git URL: See https://github.com/NativeScript/nativescript-cli/blob/master/package.json

"dependencies": {
...
   "zipstream": "https://github.com/Icenium/node-zipstream/tarball/master"
}
kb3eua commented 2 years ago

I'm seeing this same issue, but in my case I have some packages installed from local tarball files like so:

"dependencies": {
...
  "my-package": "file:pkgs/my-package-1.2.3.tgz"
...
}

npm audit fails with these in place, but succeeds when I remove them.

ewrayjohnson commented 2 years ago

With npm version 6.14.12, I am experiencing the same with local tarball files.