Closed ZWhitey closed 2 years ago
I just ran into this on a different package. I believe this is the issue the open PR #7 would resolve. I'm also still looking for any detail that would indicate whether this is an npmjs.org bug or if there's a valid workaround at some level. It sounds like "unpublished packages" may be the key phrase to look for?
In my case, I resurrected a package that someone had removed from npm (unpublished). I'm referencing a copy directly from a git repository now. Because the name is the same as the original and npmjs serves details for unpublished packages now (with a different/shorter schema), when the npm cli runs the audit it downloads that minimal "unpublished" package file (packument) from npmjs and explodes.
In my particular case, renaming the package worked around the issue because I have source access. I assume another workaround would be to publish a package with npmjs (is un-unpublishing a thing?).
@tarwn thanks for your answer, I think will try to rename package to solve this problem.
Also ran into this with a clone of atom, npm version 8.3.1
Here's the log:
Closing as a duplicate of https://github.com/npm/cli/issues/4313
What / Why
When
Where
How
Current Behavior
Steps to Reproduce
Expected Behavior
Who
References
I compare registry data between
cordova-plugin-openwith
and other package I can install without error foundcordova-plugin-openwith
got different format. It doesn't containversions
field cause advisory try to get keys from undefined. https://github.com/npm/metavuln-calculator/blob/8575e2b76f9eef103ae9419e4db7fe0233fb3298/lib/advisory.js#L102registry data reference