cli icon indicating copy to clipboard operation
cli copied to clipboard

[BUG] Cannot convert undefined or null to object on unpublished package

Open grassick opened this issue 3 years ago • 4 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

When doing npm install and there is a package installed from github that has the same name as an unpublished package in npm, the error "Cannot convert undefined or null to object" appears. See https://github.com/npm/metavuln-calculator/pull/7#issuecomment-989099759 and https://github.com/npm/metavuln-calculator/issues/12

The security audit causes a crash in npm. We cannot easily rename internally managed packages simply to avoid colliding with an unpublished npm package.

Expected Behavior

I expected the install to succeed (as it did in npm version 6).

Steps To Reproduce

  1. Create a package.json that references a github repository with the same name as an unpublished package. e.g.
  "dependencies": {
    "mwater-forms": "github:mWater/mwater-forms"
  },

  1. With latest npm
  2. Run npm install
  3. See error: "Cannot convert undefined or null to object"

Environment

  • npm: 8.3.2
  • Node.js: v16.13.2
  • OS Name: Mint 20.3
  • System Model Name: Dell?
  • npm config:
; "user" config from /home/clayton/.npmrc

//registry.npmjs.org/:_authToken = (protected) 

; node bin location = /home/clayton/.nvm/versions/node/v16.13.2/bin/node
; cwd = /home/clayton/dev/scratch/failnpm
; HOME = /home/clayton
; Run `npm config ls -l` to show all defaults.

grassick avatar Jan 23 '22 21:01 grassick

Same here for npm install <tarball file>. Works with npm install <tarball file> --no-audit though...

booooza avatar Mar 15 '22 15:03 booooza

Same here.

30 verbose stack TypeError: Cannot convert undefined or null to object
30 verbose stack     at Function.keys (<anonymous>)
30 verbose stack     at Deprecate.exec (/usr/local/lib/node_modules/npm/lib/commands/deprecate.js:55:12)
30 verbose stack     at async module.exports (/usr/local/lib/node_modules/npm/lib/cli.js:66:5)
31 verbose cwd /Users/krinkle/Development/mediawiki/extensions/VisualEditor/lib/ve
32 verbose Darwin 19.6.0
33 verbose argv "/usr/local/Cellar/node/17.4.0/bin/node" "/usr/local/bin/npm" "deprecate" "[email protected]" "Install by other means: https://www.mediawiki.org/wiki/VisualEditor"
34 verbose node v17.4.0
35 verbose npm  v8.3.1

Krinkle avatar Mar 24 '22 18:03 Krinkle

Is there a plan to fix this at any point in the near future or should we be using --no-audit to get around it?

cody-lettau avatar Jul 25 '22 13:07 cody-lettau

I'm seeing the same error, Cannot convert undefined or null to object.

In my case, --no-audit doesn't change the behavior, I still see the same error.

Here's the debug stack trace, in case it's useful.

TypeError: Cannot convert undefined or null to object
    at Function.keys (<anonymous>)
    at module.exports (~/n/lib/node_modules/npm/node_modules/npm-pick-manifest/lib/index.js:213:22)
    at RegistryFetcher.manifest (~/n/lib/node_modules/npm/node_modules/pacote/lib/registry.js:125:22)
    at async Arborist.[nodeFromEdge] (~/n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:1107:19)
    at async Arborist.[buildDepStep] (~/n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:976:11)
    at async Arborist.buildIdealTree (~/n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:218:7)
    at async Promise.all (index 1)
    at async Arborist.reify (~/n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js:154:5)
    at async Install.exec (~/n/lib/node_modules/npm/lib/commands/install.js:145:5)
    at async module.exports (~/n/lib/node_modules/npm/lib/cli.js:78:5)

What's interesting is that the error is coming from npm-pick-manifest in my case, but for someone else who commented earlier, the same error occurred in npm/lib/commands/deprecate.js. I checked both places, and the errors have the same reason: doing Object.keys(packument.versions) when the variable packument.versions is undefined or null.

https://github.com/npm/npm-pick-manifest/blob/2c9d25f97663b72253828cb540d598c35b8920a7/lib/index.js#L213

https://github.com/npm/cli/blob/ca756fda3e0ddff2c0aeb85c21b10977c8bce3b6/lib/commands/deprecate.js#L57


EDIT: I found that it was happening because the project where I ran npm install had a non-existing npm module in its package.json. (Not relevant but it was ts-transformer-unassert which apparently doesn't exist anymore.) When I remove that line, the error no longer occurs.

The bug is that somewhere packument.versions is being set to null or undefined when there's a non-existing package, causing errors downstream in other places where that variable is expected to be an object.

eliot-akira avatar Aug 05 '22 15:08 eliot-akira

are there any plans to fix this issue? the issue isn't with the npm install or npm ci it's actually with the npm audit command which is running during the former commands and that's what is breaking. very frustrating.

dillonthompson avatar Jan 05 '23 18:01 dillonthompson

The interesting thing that it is happening to me in docker-container only!! If i run npm install outside the docker, then it works normally?!

AhmedBHameed avatar Jan 17 '23 14:01 AhmedBHameed

This bug is very annoying. Any plans to fix it?

ryaa avatar Jan 23 '23 05:01 ryaa

This bug is preventing us to use npm audit in ci pipelines

JockVanDallas avatar Mar 17 '23 11:03 JockVanDallas

For me it seems like this is a lockfileVersion upgrade issue.. upgrading from 1 to 2 (node 14 to 16, npm v6.14.18 to v8.19.4)

When inspecting node --inspect $(which npm) install using vscode auto-attach <3 It looks like the actual error that it's trying to print is No matching version found for <some library> where is "ftnt-devops-ci": "https://github.com/fortinet/ftnt-devops-ci/releases/download/1.1.7/ftnt-devops-ci-1.1.7.tgz",

This helps print the correct error: /.nvm/versions/node/v16.13.2/lib/node_modules/npm/node_modules/npm-pick-manifest/index.js

-    versions: Object.keys(packument.versions),
+    versions: Object.keys(packument.versions || {}),

This worked for me to upgrade the package-lock.json from v1 to v2, replace ftnt-devops-ci... with your problem package.. maybe this can be shortened but i've already spent too long on this :D

 git checkout package-lock.json # restore your original package-lock
nvm use 16
npm install https://github.com/fortinet/ftnt-devops-ci/releases/download/1.1.7/ftnt-devops-ci-1.1.7.tgz
nvm use 14
npm install https://github.com/fortinet/ftnt-devops-ci/releases/download/1.1.7/ftnt-devops-ci-1.1.7.tgz
nvm use 16
npm install

jamie-pate avatar May 12 '23 19:05 jamie-pate

We had the problem with a slightly different use case. For us we didn't had the issue with an unpublished package, but rather with using npm: as prefix. It can be reproduced by using following package.json and the, to date, latest npm@8 (v8.19.4):

{
  "name": "npm-bug",
  "dependencies": {
    "trim": "0.0.2",
    "my-trim": "npm:[email protected]"
  }
}

It has the same symptoms that it fails at the exact same position (and also won't fail when running npm i --no-audit). Appearantly it got fixed with [email protected] or to be more precise with @npmcli/[email protected]: https://github.com/npm/cli/commit/14c498d7dbc13e0bc0f1d9438c0f7f1abd7f98d8. I am not quite sure about the release process of npm, but this commit looks like it can be taken 1:1 to npm@8.

I would say this issue is related to this PR https://github.com/npm/cli/pull/6363 and this issue as well #5110

JPeer264 avatar Jun 23 '23 06:06 JPeer264