search

lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
Apache License 2.0
780 stars 35 forks source link

Crash when package-lock.json has no dependencies #102

Closed MikeRalphson closed 3 years ago

MikeRalphson commented 3 years ago

Expected Behavior

If the package-lock.json file has no dependencies and --validate-https is specified, lockfile-lint should not crash.

Current Behavior

 npx lockfile-lint -p oas-kit/packages/oas-schema-walker/package-lock.json 
npx: installed 56 in 5.789s
 No issues detected 
 npx lockfile-lint --validate-https -p oas-kit/packages/oas-schema-walker/package-lock.json 
npx: installed 56 in 5.635s
ABORTING lockfile lint process due to error exceptions 

Unable to parse npm lockfile "oas-kit/packages/oas-schema-walker/package-lock.json" 

TypeError: Cannot convert undefined or null to object
    at Function.entries (<anonymous>)
    at ParseLockfile._flattenNpmDepsTree (/home/mike/.npm/_npx/131674/lib/node_modules/lockfile-lint/node_modules/lockfile-lint-api/src/ParseLockfile.js:129:49)
    at ParseLockfile.parseNpmLockfile (/home/mike/.npm/_npx/131674/lib/node_modules/lockfile-lint/node_modules/lockfile-lint-api/src/ParseLockfile.js:117:31)
    at ParseLockfile.parseSync (/home/mike/.npm/_npx/131674/lib/node_modules/lockfile-lint/node_modules/lockfile-lint-api/src/ParseLockfile.js:64:27)
    at ValidateHttpsManager (/home/mike/.npm/_npx/131674/lib/node_modules/lockfile-lint/src/validators/index.js:75:27)
    at /home/mike/.npm/_npx/131674/lib/node_modules/lockfile-lint/src/main.js:37:28
    at Array.forEach (<anonymous>)
    at Object.runValidators (/home/mike/.npm/_npx/131674/lib/node_modules/lockfile-lint/src/main.js:27:14)
    at Object.<anonymous> (/home/mike/.npm/_npx/131674/lib/node_modules/lockfile-lint/bin/lockfile-lint.js:54:17)
    at Module._compile (internal/modules/cjs/loader.js:1063:30) 

error: command failed with exit code 1

Possible Solution

Guard against the non-presence of the dependencies property.

Steps to Reproduce (for bugs)

One of the packages in my mono-repo (https://github.com/mermade/oas-kit) has the following package-lock.json

{
  "name": "oas-schema-walker",
  "version": "1.1.5",
  "lockfileVersion": 1
}

Context

I'd like to use lockfile-lint in my projects, but don't want it to crash during CI.

Your Environment

lirantal commented 3 years ago

@MikeRalphson just wondering if there's a reason why you closed this and the other issue?

lirantal commented 3 years ago

@emimuresan if you wanted to pick this one up...