search

snyk / nodejs-lockfile-parser

Generate a Snyk dependency tree from package-lock.json or yarn.lock file
Other
57 stars 28 forks source link

npm lock version evaluation is incorrectly reporting an error #170

Closed oceanofmaya closed 1 year ago

oceanofmaya commented 1 year ago

I have a nx monorepo project where I use snyk-cli snyk monitor with --all-projects flag to and it uses this library to identify the lock version. snyk-cli version 1.1072.0 and earlier which uses nodejs-lockfile-parser 1.44.0 works fine without issues, but 1.1073.0 onwards which relies on nodejs-lockfile-parser 1.45.1 fails for me with the below error .

Unsupported npm lockfile version in package-lock.json. Please provide a [package-lock.json](<url-removed>) with lockfileVersion 1, 2 or 3

Note: There are no issues when I do a snyk test and it only occurs when I do a snyk monitor. Here is a comparison of snyk cli release 1.1073.0 https://github.com/snyk/cli/compare/v1.1072.0...v1.1073.0

Here is a comparison of nodejs-lockfile-parser https://github.com/snyk/nodejs-lockfile-parser/compare/v1.44.0...v1.45.1

The above shows that lib/util.ts was added; it is a brand-new file and here the npm lock version is evaluated. The error message I see in our pipeline comes from this file.

I'm unsure at this point if the issue is on the snyk cli end or this library, but have narrowed down when the issue was introduced.

I have opened a snyk support ticket, and adding this here in case a contributor on this project can help.

oceanofmaya commented 1 year ago

I was able to narrow the error to a single project that has no external dependencies. Its lock file looks like this

{
  "name": "name-of-library",
  "version": "1.1.0",
  "lockfileVersion": 1
}
oceanofmaya commented 1 year ago

I identified the genesis of the bug. In lib/util.ts the string it is looking for has a trailing comma, but in my generated package-lock.json (shared in previous comment) since it does not have any dependencies and lockFileVersion is the last attribute, it does not have a comma so it does not match any of the one's the code is looking for and hence fails saying Unsupported npm lockfile version

image

alina-ilie commented 1 year ago

Hello. We wanted to let you know that we have since resolved this issue. Please update to the latest Snyk version and confirm that the issue is no longer present?

oceanofmaya commented 1 year ago

I like that now it is doing a JSON parse and then looking for lock version. The issue can be closed as resolved. Additionally I switched to using nodejs 16x with npm 8 where the package lock has a different structure entirely as it includes what is in the package.json so there is always additional fields below lockVersion.