Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Can't Install Two Versions of Vulnerable Package #7921

Closed
2 tasks done
sahin52 opened this issue Nov 19, 2024 · 3 comments
Closed
2 tasks done

[BUG] Can't Install Two Versions of Vulnerable Package #7921

sahin52 opened this issue Nov 19, 2024 · 3 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps

Comments

@sahin52
Copy link

sahin52 commented Nov 19, 2024

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

TLDR: I am trying to install two versions of a vulnerable package, both are needed. Getting Cannot read properties of null (reading 'name') and packages are not installed.

Expected Behavior

Two versions could be installed together. I also added vulnerabilities to allowlist of audit-ci, but still can 't install.

Steps To Reproduce

  • Using Windows 11, with the latest nodejs and npm version.
  • This is the package.json:
{
  "dependencies": {
    "froala-editor" : "4.0.4",
    "froala-editor-3": "npm:[email protected]"
  }
}

I have no other file, to be able to test properly.

C:\scripts\test> npm i
npm error Cannot read properties of null (reading 'name')
npm error A complete log of this run can be found in: C:\Users\sahin\AppData\Local\npm-cache\_logs\2024-11-19T19_31_49_077Z-debug-0.log

C:\Users\sahin\AppData\Local\npm-cache\_logs\2024-11-19T19_31_49_077Z-debug-0.log


0 verbose cli C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js
1 info using [email protected]
2 info using [email protected]
3 silly config load:file:C:\ProgramData\nvm\v22.11.0\node_modules\npm\npmrc
4 silly config load:file:C:\script\test\.npmrc
5 silly config load:file:C:\Users\sahin\.npmrc
6 silly config load:file:C:\Program Files\nodejs\etc\npmrc
7 verbose title npm i
8 verbose argv "i"
9 verbose logfile logs-max:10 dir:C:\Users\sahin\AppData\Local\npm-cache\_logs\2024-11-19T19_31_49_077Z-
10 verbose logfile C:\Users\sahin\AppData\Local\npm-cache\_logs\2024-11-19T19_31_49_077Z-debug-0.log
11 silly logfile start cleaning logs, removing 1 files
12 silly packumentCache heap:2197815296 maxSize:549453824 maxEntrySize:274726912
13 silly logfile done cleaning log files
14 silly idealTree buildDeps
15 silly fetch manifest [email protected]
16 silly packumentCache full:https://registry.npmjs.org/froala-editor cache-miss
17 http fetch GET 200 https://registry.npmjs.org/froala-editor 20ms (cache hit)
18 silly packumentCache full:https://registry.npmjs.org/froala-editor set size:317881 disposed:false
19 silly placeDep ROOT [email protected] OK for:  want: 4.0.4
20 silly reify moves {}
21 silly audit bulk request { 'froala-editor': [ '3.2.6', '4.0.4' ] }
22 http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 735ms
23 silly audit report {
23 silly audit report   'froala-editor': [
23 silly audit report     {
23 silly audit report       id: 1091063,
23 silly audit report       url: 'https://github.com/advisories/GHSA-97x5-cc53-cv4v',
23 silly audit report       title: 'Cross site scripting in froala-editor',
23 silly audit report       severity: 'moderate',
23 silly audit report       vulnerable_versions: '<=4.0.6',
23 silly audit report       cwe: [Array],
23 silly audit report       cvss: [Object]
23 silly audit report     },
23 silly audit report     {
23 silly audit report       id: 1089624,
23 silly audit report       url: 'https://github.com/advisories/GHSA-cq6w-w5rj-p9x8',
23 silly audit report       title: 'Cross-site Scripting in Froala Editor',
23 silly audit report       severity: 'moderate',
23 silly audit report       vulnerable_versions: '<=3.2.6',
23 silly audit report       cwe: [Array],
23 silly audit report       cvss: [Object]
23 silly audit report     }
23 silly audit report   ]
23 silly audit report }
24 silly packumentCache corgi:https://registry.npmjs.org/froala-editor cache-miss
25 http fetch GET 200 https://registry.npmjs.org/froala-editor 6ms (cache hit)
26 silly packumentCache corgi:https://registry.npmjs.org/froala-editor set size:123226 disposed:false
27 verbose stack TypeError: Cannot read properties of null (reading 'name')
27 verbose stack     at npa (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\npm-package-arg\lib\npa.js:27:20)
27 verbose stack     at FetcherBase.get (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\pacote\lib\fetcher.js:466:16)
27 verbose stack     at Object.packument (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\pacote\lib\index.js:21:30)
27 verbose stack     at [packument] (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\index.js:109:22)
27 verbose stack     at [calculate] (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\index.js:57:23)
27 verbose stack     at Calculator.calculate (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\index.js:45:31)
27 verbose stack     at [init] (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\arborist\lib\audit-report.js:177:44)
27 verbose stack     at async AuditReport.run (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\arborist\lib\audit-report.js:109:7)
27 verbose stack     at async Arborist.reify (C:\ProgramData\nvm\v22.11.0\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\reify.js:268:24)
27 verbose stack     at async Install.exec (C:\ProgramData\nvm\v22.11.0\node_modules\npm\lib\commands\install.js:150:5)
28 error Cannot read properties of null (reading 'name')
29 silly unfinished npm timer reify 1732044709743
30 silly unfinished npm timer reify:audit 1732044709791
31 silly unfinished npm timer auditReport:init 1732044710528
32 silly unfinished npm timer metavuln:calculate:security-advisory:null:1T+MkCkiz8dOr313csFW2zcAfQFhPxwnD/+CXMs7K8vuujqv9BeJHoKLLBMpHOjOj+h3hpqouOBRP++2hROBmQ== 1732044710540
33 silly unfinished npm timer metavuln:packument:null 1732044710540
34 verbose cwd C:\script\test
35 verbose os Windows_NT 10.0.22631
36 verbose node v22.11.0
37 verbose npm  v10.9.0
38 verbose exit 1
39 verbose code 1
40 error A complete log of this run can be found in: C:\Users\sahin\AppData\Local\npm-cache\_logs\2024-11-19T19_31_49_077Z-debug-0.log

It generates Cannot read properties of null (reading 'name')

  • Removing one of the packages makes it work:
{
  "dependencies": {
    "froala-editor" : "4.0.4"
  }
}

or

{
  "dependencies": {
    "froala-editor-3": "npm:[email protected]"
  }
}

these work properly.
Also, same problem does not happen with at least one safe package, for example:

{
  "dependencies": {
    "froala-editor" : "4.3.1",
    "froala-editor-3": "npm:[email protected]"
  }
}

This package does not have a dependency, so it is not related to dependencies. Also adding audit-ci and allowing these vulnerabilities also does not change this behaviour

Environment

  • npm: 10.9.0
  • Node.js: 22.11.0
  • OS Name:
  • System Model Name: Windows 11
  • npm config:
PS C:\scripts\test> npm config ls
; node bin location = C:\Program Files\nodejs\node.exe
; node version = v22.11.0
; npm local prefix = C:\scripts\test
; npm version = 10.9.0
; cwd = C:\scripts\test
; HOME = C:\Users\skasap
; Run `npm config ls -l` to show all defaults.
@sahin52 sahin52 added Bug thing that needs fixing Needs Triage needs review for next steps labels Nov 19, 2024
@sahin52
Copy link
Author

sahin52 commented Nov 21, 2024

Again I'm unable to install two version of this package but getting another output:

0 verbose cli C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js
1 info using [email protected]
2 info using [email protected]
3 silly config load:file:C:\Users\Sahin\AppData\Roaming\nvm\v22.11.0\node_modules\npm\npmrc
4 silly config load:file:C:\Users\Sahin\Desktop\Projects\temp\.npmrc
5 silly config load:file:C:\Users\Sahin\.npmrc
6 silly config load:file:C:\Program Files\nodejs\etc\npmrc
7 verbose title npm i
8 verbose argv "i"
9 verbose logfile logs-max:10 dir:C:\Users\Sahin\AppData\Local\npm-cache\_logs\2024-11-21T16_54_13_490Z-
10 verbose logfile C:\Users\Sahin\AppData\Local\npm-cache\_logs\2024-11-21T16_54_13_490Z-debug-0.log
11 silly logfile start cleaning logs, removing 1 files
12 silly packumentCache heap:4345298944 maxSize:1086324736 maxEntrySize:543162368
13 silly logfile done cleaning log files
14 silly idealTree buildDeps
15 silly fetch manifest froala-editor-3@npm:[email protected]
16 silly packumentCache full:https://registry.npmjs.org/froala-editor cache-miss
17 http fetch GET 200 https://registry.npmjs.org/froala-editor 29ms (cache hit)
18 silly packumentCache full:https://registry.npmjs.org/froala-editor set size:317881 disposed:false
19 silly placeDep ROOT [email protected] OK for:  want: npm:[email protected]
20 silly reify moves {}
21 silly audit bulk request { 'froala-editor': [ '4.0.4', '3.2.6' ] }
22 http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 907ms
23 silly audit report {
23 silly audit report   'froala-editor': [
23 silly audit report     {
23 silly audit report       id: 1091063,
23 silly audit report       url: 'https://github.com/advisories/GHSA-97x5-cc53-cv4v',
23 silly audit report       title: 'Cross site scripting in froala-editor',
23 silly audit report       severity: 'moderate',
23 silly audit report       vulnerable_versions: '<=4.0.6',
23 silly audit report       cwe: [Array],
23 silly audit report       cvss: [Object]
23 silly audit report     },
23 silly audit report     {
23 silly audit report       id: 1089624,
23 silly audit report       url: 'https://github.com/advisories/GHSA-cq6w-w5rj-p9x8',
23 silly audit report       title: 'Cross-site Scripting in Froala Editor',
23 silly audit report       severity: 'moderate',
23 silly audit report       vulnerable_versions: '<=3.2.6',
23 silly audit report       cwe: [Array],
23 silly audit report       cvss: [Object]
23 silly audit report     }
23 silly audit report   ]
23 silly audit report }
24 silly packumentCache corgi:https://registry.npmjs.org/froala-editor cache-miss
25 http fetch GET 200 https://registry.npmjs.org/froala-editor 15ms (cache hit)
26 silly packumentCache corgi:https://registry.npmjs.org/froala-editor set size:123226 disposed:false
27 verbose cwd C:\Users\Sahin\Desktop\Projects\temp
28 verbose os Windows_NT 10.0.19045
29 verbose node v22.11.0
30 verbose npm  v10.9.0
31 verbose exit 1
32 verbose code 1
33 error A complete log of this run can be found in: C:\Users\Sahin\AppData\Local\npm-cache\_logs\2024-11-21T16_54_13_490Z-debug-0.log

@kchindam-infy
Copy link

@sahin52 first run the npm init -y to create a package.json with necessary metadata and then add your dependencies.
I have followed the proper procedure and I was able to install the packages without an issue.

kchindam-infy@kalyankumars-MacBook-Pro test % node -v
v23.3.0
kchindam-infy@kalyankumars-MacBook-Pro test % npm -v
10.9.1
kchindam-infy@kalyankumars-MacBook-Pro test % npm install
(node:76248) ExperimentalWarning: CommonJS module /Users/kchindam-infy/.nvm/versions/node/v23.3.0/lib/node_modules/npm/node_modules/debug/src/node.js is loading ES Module /Users/kchindam-infy/.nvm/versions/node/v23.3.0/lib/node_modules/npm/node_modules/supports-color/index.js using require().
Support for loading ES Module in require() is an experimental feature and might change at any time
(Use node --trace-warnings ... to show where the warning was created)

added 2 packages, and audited 3 packages in 4s

1 moderate severity vulnerability

To address all issues, run:
npm audit fix --force

Run npm audit for details.

@sahin52
Copy link
Author

sahin52 commented Nov 27, 2024

@kchindam-infy thanks, it works by adding name to package.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sahin52 @kchindam-infy