[BUG] npm audit fix error: Maximum call stack size exceeded

[otto-liljalaakso-nt]

Is there an existing issue for this?

• [X] I have searched the existing issues

This issue exists in the latest npm version

• [X] I am using the latest npm

Current Behavior

We have a large private repository that was previously using yarn, but we moved to npm recently. We would like to use npm audit to fix outdated dependencies, so we tried to run the following command:

npm audit fix --workspaces --include-workspace-root --force

This did not work, after printing many duplicate lines about doing SemVer major changes to certain dependencies, the following error was printed.

npm WARN audit Updating concurrently to 7.0.0,which is a SemVer major change.
Exception in PromiseRejectCallback: Updating concurrently to 7.0.0,which is a SemVer major change.
/home/otto/.volta/tools/image/npm/8.3.0/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:1052
    return this[_buildDepStep]()

RangeError: Maximum call stack size exceeded
npm ERR! Maximum call stack size exceeded

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/otto/.npm/_logs/2022-01-11T15_24_49_534Z-debug-0.log

Expected Behavior

Audit completes normally, potentially modifying package.json and package-lock.json.

Steps To Reproduce

1. Follow instructions in this reproducer repository: otto-urpelainen-nt/npm-audit-call-stack-exceeded

Environment

• npm: 8.3.0
• Node.js: v14.15.4
• OS Name: Ubuntu 20.04.3 LTS (On WSL 2)
• System Model Name: Lenovo ThinkPad
• npm config:

  
  ; "user" config from /home/otto/.npmrc

@xsitemanage:registry = "https://npm.pkg.github.com/" //npm.pkg.github.com/:_authToken = (protected)

; node bin location = /home/otto/.volta/tools/image/node/14.15.4/bin/node ; cwd = /home/otto/src/external/otto-urpelainen-nt/npm-call-stack-exceeded ; HOME = /home/otto ; Run npm config ls -l to show all defaults.

[wraithgar]

Can you try this in the latest npm? I could not replicate this with v8.5.4.

$ npm audit fix --workspaces --include-workspace-root --force
... 
added 269 packages, removed 533 packages, changed 418 packages, and audited 2178 packages in 24s
...
~/D/n/s/npm-audit-call-stack-exceeded (main|✚3) $ git diff --stat
 package-lock.json               | 23394 +++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------
 package.json                    |   169 +-
 packages/package-i/package.json |     2 +-
 3 files changed, 11233 insertions(+), 12332 deletions(-)

[otto-liljalaakso-nt]

Tested. The reproducer repository does not reproduce the issue anymore. This does not depend on npm version, the issue is gone for both 8.3.0 and 8.5.4. However, the issue persists in our private repository.

The reproducer was created from the private repository by removing as much as possible, then removing everything except dependency definitions and renaming everything as package-a and so on. Assuming that "Maximum call stack size exceeded" happens because there is too much to do, it may be that the reproducer is really sensitive to changes in package versions in the npm repository. I could try to make a new reproducer, where I skip the "remove as much as possible part". Such reproducer should be more robust. I will send a link when I have something ready.

[otto-liljalaakso-nt]

I have updated the reproducer repository to a larger example that still suffers from this bug. Please take a look.