search

npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.44k stars 3.14k forks source link

[BUG] `npm audit fix --force` trying to update package to `undefined` #4377

Open fishcharlie opened 2 years ago

fishcharlie commented 2 years ago

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating @docusaurus/core to undefined,which is a SemVer major change.
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @docusaurus/core@undefined.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/charliefish/.npm/_logs/2022-02-05T18_43_57_293Z-debug.log

Expected Behavior

No errors to occur when running npm audit fix --force.

Steps To Reproduce

  1. With the package.json file listed below & no package-lock.json file
  2. Run npm i
  3. Then npm audit fix --force

package.json:

{
  "name": "docs",
  "version": "0.0.0",
  "private": true,
  "scripts": {
    "start": "docusaurus start",
    "build": "npm run prebuild && docusaurus build",
    "swizzle": "docusaurus swizzle",
    "prebuild": "cd .. && npm run build && cd docs && node process.js"
  },
  "dependencies": {
    "@docusaurus/core": "^2.0.0-beta.15",
    "@docusaurus/preset-classic": "^2.0.0-beta.15",
    "classnames": "^2.3.1",
    "jsdoc-to-markdown": "^7.1.1",
    "mkdirp": "^1.0.4",
    "npm-to-yarn": "^1.0.1",
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
    "simple-git": "^3.1.1"
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

Environment

//npm.pkg.github.com/:_authToken = (protected) //registry.npmjs.com/:_authToken = (protected) registry = "https://npm.network.charlie.fish/"

; node bin location = /Users/charliefish/.nvm/versions/node/v16.13.2/bin/node ; cwd = /Users/charliefish/Developer/dynamoose/dynamoose/docs ; HOME = /Users/charliefish ; Run npm config ls -l to show all defaults.

fritzy commented 2 years ago

I'm unable to reproduce the issue in npm v8.5.0. Does the same problem occur using the default registry and with the latest version of npm? Please re-open with your logs included if so.

fishcharlie commented 2 years ago

@fritzy Same issue. Please reopen.

The repo is also open source if you want to check it out: https://github.com/dynamoose/dynamoose/tree/main/docs. It's just the docs folder. I ran npm install, then npm audit fix --force --registry=https://registry.npmjs.com, and the error occurred.

npm -v
8.5.0
npm audit fix --force --registry=https://registry.npmjs.com
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating @docusaurus/core to undefined,which is a SemVer major change.
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @docusaurus/core@undefined.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/charliefish/.npm/_logs/2022-02-17T02_55_36_444Z-debug-0.log

2022-02-17T02_55_36_444Z-debug-0.log

fritzy commented 2 years ago 
dynamoose/docs on  main via ⬢ v17.5.0 
❯ rm -rf node_modules 

dynamoose/docs on  main via ⬢ v17.5.0 took 2s 
❯ npm i
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.

added 1243 packages, and audited 1244 packages in 4s

196 packages are looking for funding
  run `npm fund` for details

21 vulnerabilities (8 moderate, 13 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

dynamoose/docs on  main via ⬢ v17.5.0 took 4s 
❯ npm audit fix --force --registry=https://registry.npmjs.com
npm WARN using --force Recommended protections disabled.

up to date, audited 1244 packages in 27s

196 packages are looking for funding
  run `npm fund` for details

# npm audit report

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/@slorber/static-site-generator-webpack-plugin/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/@slorber/static-site-generator-webpack-plugin/node_modules/css-select
    cheerio  0.19.0 - 1.0.0-rc.3
...
nlf commented 2 years ago

@fishcharlie i'm not able to reproduce this one either. i cloned your repo, changed dirs into the docs direct and no amount of npm install or npm audit fix --force raises this error. is this still happening for you with npm@8.5.3?

fishcharlie commented 2 years ago

@nlf Just installed npm 8.5.3, and issue persists.

I did just try to remove my node_modules folder and package-lock.json file, and run those commands again, and the issue did not occur.

Therefore I think it's an issue with my package-lock.json file. I have uploaded that here as well.

package-lock.json.zip

JanDeDobbeleer commented 2 years ago

I have the exact same issue:

npm WARN using --force Recommended protections disabled.
npm WARN audit Updating @docusaurus/core to undefined,which is a SemVer major change.
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @docusaurus/core@undefined.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/jan/.npm/_logs/2022-07-27T09_56_08_631Z-debug-0.log

2022-07-27T09_56_08_631Z-debug-0.log