search

snyk-labs / snync

Mitigate security concerns of Dependency Confusion supply chain security risks
Other
40 stars 9 forks source link

Reporting started failing on CI #20

Open meeroslav opened 2 years ago

meeroslav commented 2 years ago

We have a nightly audit check where we run npx snync -d .. Since last night this call started failing with the following error report:

Checking dependency: classnames
SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at RegistryClient.getPackageMetadataFromRegistry (file:///home/runner/.npm/_npx/0f3efbe0158474c2/node_modules/snync/src/RegistryClient.js:27:40)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

as seen here: https://github.com/nrwl/nx/runs/7992209443

Locally running snync works as expected (although locally we have all packages installed while on CI we only do checkout). Strangely, classnames hasn't been published for over a year, the next package that should be checked, cliui hasb't been changed for over 2 years, and the difference between snync 1.3.3 and 1.3.2 seems to be only in README.md. Running with v1.3.2 explicitly (i.e. npx snync@1.3.2 -d .) gives the same error.

Output from https://registry.npmjs.org/classnames is valid JSON and the same goes for https://registry.npmjs.org/cliui.

Expected Behavior

Running npx snync -d . on CI not to crash.

Current Behavior

Running npx snync -d . on CI crashes.

Possible Solution

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Context

Your Environment

bscript commented 2 years ago

I'm having the same issue, it's failing because the dataBuffer is always empty, and the JSON.parse will fail because it doesn't expect an empty array or a string.

Screenshot 2022-08-29 at 17 05 34

I thought maybe the issue was from undici, but I did a quick test and it was working great

'use strict'

// import undici from 'undici'
const undici = require('undici')

async function getPackageMetadataFromRegistry() {
    const { body } = await undici.request(
      `https://registry.npmjs.org/${encodeURIComponent('classname')}`,
      {
        method: 'GET',
        headers: {
          'content-type': 'application/json'
        }
      }

    )
    const dataBuffer = []
    for await (const data of body) {
      dataBuffer.push(data)
    }
    const packageMetadata = Buffer.concat(dataBuffer).toString('utf8')
    const packageMetadataObject = JSON.parse(Buffer.from(packageMetadata).toString('utf8'))

    console.log(packageMetadataObject)
  }
  getPackageMetadataFromRegistry()

Output

Screenshot 2022-08-29 at 17 10 41

I'll keep debugging maybe I'll find a solution.

Thank you

meeroslav commented 2 years ago

The issue started happening when undici was updated to 5.10.0 so it might be an error there after all. Can you try with previous version and see if buffer is still empty?

bscript commented 2 years ago

@meeroslav, it's working after updating undici to 5.10.0 👍🏻

Screenshot 2022-08-29 at 23 47 11
lirantal commented 2 years ago

Interesting why that happens. Thanks @meeroslav and @bscript for confirming. I'll merge the PR with the update next and publish a new version.