nativescript-cli
nativescript-cli copied to clipboard
NativeScript
'npm audit' is broken since v6.3.0
Environment
Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project):
- CLI: 6.3.0+
- Cross-platform modules:
- Android Runtime:
- iOS Runtime:
- Plugin(s):
Describe the bug Npm returns the following error when running npm audit on the cloned repo or any other project that has the nativescript cli 6.3.0+ in dependencies/devDependencies:
npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
npm ERR! audit The server said: Invalid package tree, run npm install to rebuild your package-lock.json
Full log:
0 info it worked if it ends with ok
1 verbose cli [ '/Users/nsch/.nvm/versions/node/v10.16.0/bin/node',
1 verbose cli '/Users/nsch/.nvm/versions/node/v10.16.0/bin/npm',
1 verbose cli 'audit' ]
2 info using [email protected]
3 info using [email protected]
4 verbose npm-session 889c098014892da6
5 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 480ms
6 verbose stack Error: Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
6 verbose stack The server said: Invalid package tree, run npm install to rebuild your package-lock.json
6 verbose stack at Bluebird.all.spread.then.catch (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/lib/audit.js:204:18)
6 verbose stack at tryCatcher (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
6 verbose stack at Promise._settlePromiseFromHandler (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:517:31)
6 verbose stack at Promise._settlePromise (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:574:18)
6 verbose stack at Promise._settlePromise0 (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:619:10)
6 verbose stack at Promise._settlePromises (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:695:18)
6 verbose stack at _drainQueueStep (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:138:12)
6 verbose stack at _drainQueue (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:131:9)
6 verbose stack at Async._drainQueues (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:147:5)
6 verbose stack at Immediate.Async.drainQueues [as _onImmediate] (/Users/nsch/.nvm/versions/node/v10.16.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
6 verbose stack at runCallback (timers.js:705:18)
6 verbose stack at tryOnImmediate (timers.js:676:5)
6 verbose stack at processImmediate (timers.js:658:5)
7 verbose cwd /Users/nsch/test/test-package
8 verbose Darwin 18.7.0
9 verbose argv "/Users/nsch/.nvm/versions/node/v10.16.0/bin/node" "/Users/nsch/.nvm/versions/node/v10.16.0/bin/npm" "audit"
10 verbose node v10.16.0
11 verbose npm v6.14.2
12 error code ENOAUDIT
13 error audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
13 error audit The server said: Invalid package tree, run npm install to rebuild your package-lock.json
14 verbose exit [ 1, true ]
To Reproduce
Add "nativescript": "6.3.0" to any project, run npm install with a clean node_modules folder & run npm audit. Or clone this repo and checkout to any version that is 6.3.0 or higher, run npm install and then run npm audit. On version 6.2.1 everything seems to be working.
Expected behavior
Be able to see a normal npm audit output.
@NickSch1 try to update CLI to the latest version (6.4.1) - it works as expected on my side.
found 8 moderate severity vulnerabilities in 9434 scanned packages
run `npm audit fix` to fix 3 of them.
5 vulnerabilities require manual review. See the full report for details.
I still have the problem for every version from 6.3.0 and upwards. Including 6.4.1.
The problem also happens when I'm using the following package.json containing just the cli:
{
"name": "test-package",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"nativescript": "6.4.1"
},
"author": "",
"license": "ISC"
}
As noted earlier when I use 6.2.1 npm audit works without any problems.
I also tried version 6.5.0 and the problem still persists.
I also tried installing with npm install --cache /tmp/empty-cache to make sure there werent any corrupted files in my npm cache.
@NickIliev Could you provide your NPM & Node versions? Just to make sure it isn't an issue with the versions of Node I tried it with.
D:\test\nativescript-foo-no-demo>npm --version
6.11.3
D:\test\nativescript-foo-no-demo>node --version
v10.15.0
Thanks for the quick response! Sadly I still get the same issue with these versions.
This problem still persists:
$ nativescript --version
7.0.10
$ node --version
v14.14.0
$ npm --version
6.14.8
The cause seems to be having npm dependencies not specified by version, but via Git URL: See https://github.com/NativeScript/nativescript-cli/blob/master/package.json
"dependencies": {
...
"zipstream": "https://github.com/Icenium/node-zipstream/tarball/master"
}
I'm seeing this same issue, but in my case I have some packages installed from local tarball files like so:
"dependencies": {
...
"my-package": "file:pkgs/my-package-1.2.3.tgz"
...
}
npm audit fails with these in place, but succeeds when I remove them.
With npm version 6.14.12, I am experiencing the same with local tarball files.
