search

sonatype-nexus-community / auditjs

Audits an NPM package.json file to identify known vulnerabilities.
https://www.npmjs.com/package/auditjs
Apache License 2.0
223 stars 53 forks source link

Running with --prod causing RangeError: Maximum call stack size exceeded #41

Closed jdillick closed 6 years ago

jdillick commented 6 years ago

Node v8.9.1 (installed on MacOS 10.13.3)

package.json dep lists:

{ "dependencies": { "axios": "^0.17.1", "babel-core": "^6.24.1", "babel-loader": "^7.0.0", "babel-plugin-react-transform": "^3.0.0", "babel-plugin-transform-object-rest-spread": "^6.26.0", "babel-plugin-transform-runtime": "^6.23.0", "babel-preset-env": "^1.6.1", "babel-preset-react": "^6.24.1", "babel-preset-stage-2": "^6.5.0", "body-parser": "^1.18.2", "browser-sync": "2.13.0", "chalk": "^2.3.0", "concept": "^0.1.3", "cookie-parser": "^1.4.3", "cookie-session": "^2.0.0-beta.3", "cors": "^2.8.4", "del": "^2.2.2", "directory-tree": "^2.0.0", "express": "^4.16.2", "express-http-proxy": "^1.1.0", "globby": "^7.1.1", "gsap": "^1.20.4", "gulp": "^3.9.1", "gulp-autoprefixer": "^3.1.1", "gulp-concat": "^2.6.1", "gulp-csso": "^2.0.0", "gulp-if": "^2.0.2", "gulp-install": "^0.6.0", "gulp-less": "^3.3.2", "gulp-nodemon": "^2.2.1", "gulp-sass": "^3.1.0", "gulp-sourcemaps": "^2.4.1", "gulp-util": "^3.0.8", "handlebars": "^4.0.11", "http-auth": "^3.2.3", "jshint": "^2.9.4", "jshint-loader": "^0.8.4", "moment": "^2.20.1", "morgan": "^1.9.0", "nodemon": "^1.14.11", "npm-run-all": "^4.1.2", "parse": "^1.11.0", "passport": "^0.4.0", "query-string": "^5.1.0", "react": "^16.2.0", "react-alice-carousel": "^1.9.0", "react-dom": "^16.2.0", "react-helmet": "^5.2.0", "react-jsx-parser": "^1.2.5", "react-redux": "^5.0.6", "react-router-config": "^1.0.0-beta.4", "react-router-dom": "^4.2.2", "readdir-recursive": "0.0.4", "redux": "^3.7.2", "redux-devtools": "^3.4.1", "redux-devtools-dock-monitor": "^1.1.2", "redux-devtools-log-monitor": "^1.4.0", "redux-localstorage-simple": "^1.3.1", "redux-super-thunk": "0.0.6", "run-sequence": "^1.2.2", "serialize-javascript": "^1.4.0", "slug": "^0.9.1", "striptags": "^3.1.1", "uglifyjs-webpack-plugin": "^0.4.3", "underscore": "*", "vinyl-source-stream": "^1.1.0", "virtual-module-webpack-plugin": "^0.3.0", "webpack": "^3.9.1", "webpack-node-externals": "^1.6.0", "webpack-stream": "^4.0.1", "window-or-global": "^1.0.1", "yargs": "^10.0.3" }, "devDependencies": { "enzyme": "^3.3.0", "enzyme-adapter-react-16": "^1.1.1", "eslint": "^4.17.0", "eslint-plugin-mocha": "^4.11.0", "eslint-plugin-react": "^7.6.1", "mocha": "^5.0.0", "react-test-renderer": "^16.2.0" } }

Starting with --stack-size will eventually seg fault:

e.g. node --stack_size=2500 $(which auditjs) --prod -l error

ken-duck commented 6 years ago

Thanks for the information. I will look into the issue.

ken-duck commented 6 years ago

Odd. Initial tests with node v8.2.1 on Mac OS 10.13.3 work fine. I also tried dropping the stack size down to 250 and it still worked.

It also seems to work with node v8.10.0 (which I just upgraded to).

How did you install node? Is there any other information that you think may be helpful?

ken-duck commented 6 years ago

Works at the default stack size for me as well. What version of audit.js are you running?

auditjs --version
jdillick commented 6 years ago

@ken-duck I installed node with nvm. Running auditjs 2.4.2.

jasonblalock commented 6 years ago

I ran into the same issue. Running in the official node:8 docker image with create-react-app.

Node version: 8.11.3 auditjs version: 2.4.3

Command: yarn run auditjs --production

Output: 

node@25dda98d925d:/app$ yarn run auditjs --production
yarn run v1.6.0
$ /app/node_modules/.bin/auditjs --production
Unhandled rejection RangeError: Maximum call stack size exceeded
    at String.replace (<anonymous>)
    at lookupSpecMatch (/app/node_modules/auditjs/audit.js:550:24)
    at getDepsFromDataObject (/app/node_modules/auditjs/audit.js:588:25)
    at getDependencyList (/app/node_modules/auditjs/audit.js:513:24)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)
    at getDependencyList (/app/node_modules/auditjs/audit.js:515:22)

Audited dependencies: 0, Vulnerabilities: 0, Ignored: 0
Done in 22.13s.
ken-duck commented 6 years ago

Heavy. Thanks for the information. I will dig into this further.

heinosasshallik commented 6 years ago

Also getting this error when running auditjs-win --prod. Version 2.4.4. Any fixes?

ken-duck commented 6 years ago

Not yet, as I have been away for a couple of weeks. I am back as of yesterday. I will attempt to resolve the issue today since this obviously affects several people.

Ken

On Jul 10, 2018, at 4:00 PM, Heino Sass Hallik notifications@github.com wrote:

Also getting this error when running auditjs-win --prod. Version 2.4.4. Any fixes?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OSSIndex/auditjs/issues/41#issuecomment-403930956, or mute the thread https://github.com/notifications/unsubscribe-auth/Ac8irbgPy9KUCATwUnjYdVs8LY7FsVAzks5uFPnCgaJpZM4ShFvU.

ken-duck commented 6 years ago

OK, I might have a fix pushed up now. I have not reproduced the problem itself, but I figured out where the code was wrong and likely allowing infinite recursion to happen.

When you get a chance can you try the fix and let me know if it worked?

Possible fix in version 2.4.5

heinosasshallik commented 6 years ago

The problem resolved after updating to 2.4.5. Thank you!

ken-duck commented 6 years ago

Great to hear. Thanks for the help.

So you know, 3.0.0 (beta) will be released shortly. You will have to explicitly ask for it till it is out of beta, but it uses the new OSS Index 3.0 API which provides access to many more vulnerabilities, and is the database that will continue to grow while 2.x will be deprecated. There are still a few minor features required (username/token for higher rate limit) but it is usable. For many (most) situations an account will likely not be required (somewhere around 2000+ packages for unregistered users; it is a bit fuzzy due to how the rate limiting is implemented).

ken-duck commented 6 years ago

Closing the issue unless the problem still exists for some users...

heinosasshallik commented 6 years ago

I would very much like access to the beta :)

ken-duck commented 6 years ago

The 3.0.0 beta is now available.

https://www.npmjs.com/package/auditjs/v/3.0.0

I have not updated the README yet. You will find most things work the same as they used to. There are several new features which need to be documented.

One thing to note is that the API is rate limited. It is unlikely to be a problem in most cases, but you can increase the rate limit by registering for an account at https://ossindex.sonatype.org ; you can use your username (email address) and security token (on your settings page). Instead of putting this info on the command line you can use a config file, but I still need to document that.

I am interested in any feedback. I have not fully tested all options, I suspect, but most situations should hopefully work fine.