[NEXUS-24917] npm audit fails for packages that are not all lowercase - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.26.1
Fix Version/s: 3.27.0
Component/s: npm-audit
Labels:
- aop-maintenance
- supportant

Description

Configure npm to use a Nexus Repo proxy repository with remote of https://registry.npmjs.org.

npm config set registry http://localhost:8081/repository/npm-proxy

Create a package.json file with this for the contents:

{
  "name": "testproject",
  "version": "0.0.1",
  "description": "Test Project",
  "main": "index.js",
  "dependencies": {
    "JSONStream": "1.3.5"
  },
  "author": "JohnDoe",
  "license": "ISC"
}

Run:

npm install -d
npm audit

This will fail with a warning and a stack trace:

2020-08-13 10:13:45,530-0500 WARN [qtp2043467374-54] *UNKNOWN org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - Can't get hashsum for the appId [null] type [npm] name [jsonstream] version [1.3.5] package
org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException: Can't get hashsum for the appId [null] type [npm] name [jsonstream] version [1.3.5] package
at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:131)
at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getAuditRepositoryComponents(NpmAuditFacet.java:238)
at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:211)
at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:186)
at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:140)
at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditHandler.handle(NpmGroupAuditHandler.java:41)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at com.sonatype.analytics.internal.handler.AnalyticsMeteringHandler.handle(AnalyticsMeteringHandler.java:69)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:58)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at com.sonatype.analytics.internal.handler.AnalyticsNpmAuditHandler.handle(AnalyticsNpmAuditHandler.java:55)
at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80)
at org.sonatype.nexus.repository.view.Context.start(Context.java:114)
at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:65)
at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52)
at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:43)
at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.dispatchAndSend(ViewServlet.java:213)
at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.doService(ViewServlet.java:175)
at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.service(ViewServ

But the package does exist on the remote:

https://registry.npmjs.org/JSONStream/-/JSONStream-1.3.5.tgz

Note that the log message indicates it is looking for "jsonstream", not "JSONStream'. So it seems that npm audit does not work for npm packages that have mixed case names.

Expected:

Attachments

Activity

People

Assignee:: Mark Dodgson

Reporter:: Rich Seddon

Last Updated By:: Joseph Stephens

Team:: NXRM - Trinity

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 08/13/20 03:20 PM

Updated:: 10/21/20 06:42 PM

Resolved:: 08/19/20 10:57 AM

Date of First Response:: 13/Aug/20 4:28 PM

npm audit fails for packages that are not all lowercase