❌ TypeError: Cannot read properties of undefined (reading 'includes')

[coclav]

Sandworm version

➜ sandworm-audit -v
1.36.0

Describe the bug

sandworm audit fails because of type error, but cannot find more information about it

➜ sandworm-audit Sandworm 🪱 Security and License Compliance Audit ✔ Built dependency graph ✔ Got vulnerabilities ✔ Scanned licenses ✔ Scanned issues ✔ Tree chart done ✔ Treemap chart done ✔ CSV done ✔ Report written to disk

✅ Zero issues identified

✨ Done, but with errors: ❌ TypeError: Cannot read properties of undefined (reading 'includes') ❌ Failing because of errors

Manifest files

I don't feel comfortable sharing them here but happy to provide by email ?

To Reproduce install sandworm, mac m1, ventura 13.2.1, we use yarn and node 16 run sandworm

Expected behavior

I expect it to work 🤔 ?

System (please complete the following information):

• Node Version [e.g. 14.17.3] 16.19.0
• Package Manager [e.g. npm] yarn 3.2.3
• Package Manager Version [e.g. 8.5.5]
• OS: [e.g. Ubuntu 22.04] mac os 13.2.1

Additional context

[gabidobo]

Hi @coclav, thank you for reporting this. I'm looking into it. Was any stack trace provided with the crash?

[gabidobo]

I've added some checks and validations to v1.37.0, it should fix the error or at least get us closer to the source. @coclav let me know if you're able to test this again. Thank you!

[coclav]

Unfortunately still the same issue on 1.39.2 :-(

There is no stack trace

[gabidobo]

Thanks, @coclav!

I think it makes sense to log stacks for these errors by default, for easier debugging.

I've released v1.41.0 that does just that, if you get a chance could you run it again and let me know what the stack looks like? Would help me pinpoint which include gets called where.

Thank you 🙏

[coclav]

indeed :)

here is the console log

and to confirm these files get created in my folder

[liamjones]

I encounter the same if I run it at the root of a monorepo (lerna w/ yarn workspaces). I get the same stacktrace too.

[gabidobo]

Thanks @coclav and @liamjones!

It might be that your package.json manifest has no name attribute defined. By default, we query the registry for root package vulnerabilities too, and the method expected a string at the crash site.

I've released v1.42.0 that makes checking root-level vulnerabilities opt-in, as that's more of an edge case I think. It shouldn't require you to have a name attribute, and it should skip auditing the root by default.

[liamjones]

It might be that your package.json manifest has no name attribute defined.

Yep, that'd be the case in our monorepo root package.json.

The new version works here. 👍

[coclav]

all works 👍

and 0 issues haha