-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent blowing up on audit malformed response #42
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More defensive programming in general would help use with things like artifactory, that may not meet the CLI’s implicit assumptions about data format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems fine, but I'd like to have a warning if metadata
is missing like this. There's definitely a bug in our services somewhere if that happens (or in npm-audit-report
, so I'd like to make sure we don't just hide the problem.
@@ -834,7 +834,7 @@ Installer.prototype.printInstalledForHuman = function (diffs, auditResult) { | |||
if (removed) actions.push('removed ' + packages(removed)) | |||
if (updated) actions.push('updated ' + packages(updated)) | |||
if (moved) actions.push('moved ' + packages(moved)) | |||
if (auditResult && auditResult.metadata.totalDependencies) { | |||
if (auditResult && auditResult.metadata && auditResult.metadata.totalDependencies) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is missing, there's definitely an issue with the endpoint. I'd rather spit out a warning here if this happens, so we can make sure to track it down. In the future, it might also be good to have npm-audit-report
verify the data we get from the server and warn accordingly, and we can remove the warning from lib/install.js
at that point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There could also be a bug in a non-npm registry - like artifactory - if they implemented audit support but did it incorrectly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, the intention is also to cover non-npm registries, but I didn't think this was necessarily an artifactory issue. If so, then yeah, they should fix their stuff.
I added a warn using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 LGTM
I poked at it a little, but this works :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything looks awesome. Thank you!
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
npm is failing our builds with:
which it's coming out of auditing
There must be something wrong in whatever code is generating the response - this only prevents blowing up a valid installation because of this.