[BUG] Can't Install Two Versions of Vulnerable Package

[sahin52]

Is there an existing issue for this?

• [X] I have searched the existing issues

This issue exists in the latest npm version

• [X] I am using the latest npm

Current Behavior

TLDR: I am trying to install two versions of a vulnerable package, both are needed. Getting Cannot read properties of null (reading 'name') and packages are not installed.

Expected Behavior

Two versions could be installed together. I also added vulnerabilities to allowlist of audit-ci, but still can 't install.

Steps To Reproduce

• Using Windows 11, with the latest nodejs and npm version.
• This is the package.json:

  {
  "dependencies": {
  "froala-editor" : "4.0.4",
  "froala-editor-3": "npm:froala-editor@3.2.6"
  }
  }

  I have no other file, to be able to test properly.

  C:\scripts\test> npm i
  npm error Cannot read properties of null (reading 'name')
  npm error A complete log of this run can be found in: C:\Users\sahin\AppData\Local\npm-cache\_logs\2024-11-19T19_31_49_077Z-debug-0.log

  
  C:\Users\sahin\AppData\Local\npm-cache\_logs\2024-11-19T19_31_49_077Z-debug-0.log

0 verbose cli C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js 1 info using npm@10.9.0 2 info using node@v22.11.0 3 silly config load:file:C:\ProgramData\nvm\v22.11.0\node_modules\npm\npmrc 4 silly config load:file:C:\script\test.npmrc 5 silly config load:file:C:\Users\sahin.npmrc 6 silly config load:file:C:\Program Files\nodejs\etc\npmrc 7 verbose title npm i 8 verbose argv "i" 9 verbose logfile logs-max:10 dir:C:\Users\sahin\AppData\Local\npm-cache_logs\2024-11-19T19_31_49_077Z- 10 verbose logfile C:\Users\sahin\AppData\Local\npm-cache_logs\2024-11-19T19_31_49_077Z-debug-0.log 11 silly logfile start cleaning logs, removing 1 files 12 silly packumentCache heap:2197815296 maxSize:549453824 maxEntrySize:274726912 13 silly logfile done cleaning log files 14 silly idealTree buildDeps 15 silly fetch manifest froala-editor@4.0.4 16 silly packumentCache full:https://registry.npmjs.org/froala-editor cache-miss 17 http fetch GET 200 https://registry.npmjs.org/froala-editor 20ms (cache hit) 18 silly packumentCache full:https://registry.npmjs.org/froala-editor set size:317881 disposed:false 19 silly placeDep ROOT froala-editor@4.0.4 OK for: want: 4.0.4 20 silly reify moves {} 21 silly audit bulk request { 'froala-editor': [ '3.2.6', '4.0.4' ] } 22 http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 735ms 23 silly audit report { 23 silly audit report 'froala-editor': [ 23 silly audit report { 23 silly audit report id: 1091063, 23 silly audit report url: 'https://github.com/advisories/GHSA-97x5-cc53-cv4v', 23 silly audit report title: 'Cross site scripting in froala-editor', 23 silly audit report severity: 'moderate', 23 silly audit report vulnerable_versions: '<=4.0.6', 23 silly audit report cwe: [Array], 23 silly audit report cvss: [Object] 23 silly audit report }, 23 silly audit report { 23 silly audit report id: 1089624, 23 silly audit report url: 'https://github.com/advisories/GHSA-cq6w-w5rj-p9x8', 23 silly audit report title: 'Cross-site Scripting in Froala Editor', 23 silly audit report severity: 'moderate', 23 silly audit report vulnerable_versions: '<=3.2.6', 23 silly audit report cwe: [Array], 23 silly audit report cvss: [Object] 23 silly audit report } 23 silly audit report ] 23 silly audit report } 24 silly packumentCache corgi:https://registry.npmjs.org/froala-editor cache-miss 25 http fetch GET 200 https://registry.npmjs.org/froala-editor 6ms (cache hit) 26 silly packumentCache corgi:https://registry.npmjs.org/froala-editor set size:123226 disposed:false 27 verbose stack TypeError: Cannot read properties of null (reading 'name') 27 verbose stack at npa (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\npm-package-arg\lib\npa.js:27:20) 27 verbose stack at FetcherBase.get (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\pacote\lib\fetcher.js:466:16) 27 verbose stack at Object.packument (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\pacote\lib\index.js:21:30) 27 verbose stack at [packument] (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\index.js:109:22) 27 verbose stack at [calculate] (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\index.js:57:23) 27 verbose stack at Calculator.calculate (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\index.js:45:31) 27 verbose stack at [init] (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\arborist\lib\audit-report.js:177:44) 27 verbose stack at async AuditReport.run (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\arborist\lib\audit-report.js:109:7) 27 verbose stack at async Arborist.reify (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\reify.js:268:24) 27 verbose stack at async Install.exec (C:\ProgramData\nvm\v22.11.0\node_modules\npm\lib\commands\install.js:150:5) 28 error Cannot read properties of null (reading 'name') 29 silly unfinished npm timer reify 1732044709743 30 silly unfinished npm timer reify:audit 1732044709791 31 silly unfinished npm timer auditReport:init 1732044710528 32 silly unfinished npm timer metavuln:calculate:security-advisory:null:1T+MkCkiz8dOr313csFW2zcAfQFhPxwnD/+CXMs7K8vuujqv9BeJHoKLLBMpHOjOj+h3hpqouOBRP++2hROBmQ== 1732044710540 33 silly unfinished npm timer metavuln:packument:null 1732044710540 34 verbose cwd C:\script\test 35 verbose os Windows_NT 10.0.22631 36 verbose node v22.11.0 37 verbose npm v10.9.0 38 verbose exit 1 39 verbose code 1 40 error A complete log of this run can be found in: C:\Users\sahin\AppData\Local\npm-cache_logs\2024-11-19T19_31_49_077Z-debug-0.log

It generates `Cannot read properties of null (reading 'name')`

- Removing one of the packages makes it work:  

{ "dependencies": { "froala-editor" : "4.0.4" } }

or 

{ "dependencies": { "froala-editor-3": "npm:froala-editor@3.2.6" } }

these work properly.  
Also, same problem does not happen with at least one safe package, for example:  

{ "dependencies": { "froala-editor" : "4.3.1", "froala-editor-3": "npm:froala-editor@3.2.6" } }

This package does not have a dependency, so it is not related to dependencies. Also adding audit-ci and allowing these vulnerabilities also does not change this behaviour

### Environment

- npm: 10.9.0
- Node.js: 22.11.0
- OS Name:
- System Model Name: Windows 11
- npm config:
```ini
PS C:\scripts\test> npm config ls
; node bin location = C:\Program Files\nodejs\node.exe
; node version = v22.11.0
; npm local prefix = C:\scripts\test
; npm version = 10.9.0
; cwd = C:\scripts\test
; HOME = C:\Users\skasap
; Run `npm config ls -l` to show all defaults.

[sahin52]

Again I'm unable to install two version of this package but getting another output:

0 verbose cli C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js
1 info using npm@10.9.0
2 info using node@v22.11.0
3 silly config load:file:C:\Users\Sahin\AppData\Roaming\nvm\v22.11.0\node_modules\npm\npmrc
4 silly config load:file:C:\Users\Sahin\Desktop\Projects\temp\.npmrc
5 silly config load:file:C:\Users\Sahin\.npmrc
6 silly config load:file:C:\Program Files\nodejs\etc\npmrc
7 verbose title npm i
8 verbose argv "i"
9 verbose logfile logs-max:10 dir:C:\Users\Sahin\AppData\Local\npm-cache\_logs\2024-11-21T16_54_13_490Z-
10 verbose logfile C:\Users\Sahin\AppData\Local\npm-cache\_logs\2024-11-21T16_54_13_490Z-debug-0.log
11 silly logfile start cleaning logs, removing 1 files
12 silly packumentCache heap:4345298944 maxSize:1086324736 maxEntrySize:543162368
13 silly logfile done cleaning log files
14 silly idealTree buildDeps
15 silly fetch manifest froala-editor-3@npm:froala-editor@3.2.6
16 silly packumentCache full:https://registry.npmjs.org/froala-editor cache-miss
17 http fetch GET 200 https://registry.npmjs.org/froala-editor 29ms (cache hit)
18 silly packumentCache full:https://registry.npmjs.org/froala-editor set size:317881 disposed:false
19 silly placeDep ROOT froala-editor-3@3.2.6 OK for:  want: npm:froala-editor@3.2.6
20 silly reify moves {}
21 silly audit bulk request { 'froala-editor': [ '4.0.4', '3.2.6' ] }
22 http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 907ms
23 silly audit report {
23 silly audit report   'froala-editor': [
23 silly audit report     {
23 silly audit report       id: 1091063,
23 silly audit report       url: 'https://github.com/advisories/GHSA-97x5-cc53-cv4v',
23 silly audit report       title: 'Cross site scripting in froala-editor',
23 silly audit report       severity: 'moderate',
23 silly audit report       vulnerable_versions: '<=4.0.6',
23 silly audit report       cwe: [Array],
23 silly audit report       cvss: [Object]
23 silly audit report     },
23 silly audit report     {
23 silly audit report       id: 1089624,
23 silly audit report       url: 'https://github.com/advisories/GHSA-cq6w-w5rj-p9x8',
23 silly audit report       title: 'Cross-site Scripting in Froala Editor',
23 silly audit report       severity: 'moderate',
23 silly audit report       vulnerable_versions: '<=3.2.6',
23 silly audit report       cwe: [Array],
23 silly audit report       cvss: [Object]
23 silly audit report     }
23 silly audit report   ]
23 silly audit report }
24 silly packumentCache corgi:https://registry.npmjs.org/froala-editor cache-miss
25 http fetch GET 200 https://registry.npmjs.org/froala-editor 15ms (cache hit)
26 silly packumentCache corgi:https://registry.npmjs.org/froala-editor set size:123226 disposed:false
27 verbose cwd C:\Users\Sahin\Desktop\Projects\temp
28 verbose os Windows_NT 10.0.19045
29 verbose node v22.11.0
30 verbose npm  v10.9.0
31 verbose exit 1
32 verbose code 1
33 error A complete log of this run can be found in: C:\Users\Sahin\AppData\Local\npm-cache\_logs\2024-11-21T16_54_13_490Z-debug-0.log