npm audit fails with error code 400 if package-lock.json was built with the env var NODE_PRESERVE_SYMLINKS set

registry
security
priority:medium
triaged

(Gavin Aiken) #1

What I Wanted to Do

If NODE_PRESERVE_SYMLINKS is set when npm install is run, the package-lock.json will contain the property:

“preserveSymlinks”: “1”

I want to be able to run npm audit when the package-lock.json contains that property.

What Happened Instead

If that property exists in the lock file, npm audit always fails with a 400 error.

Reproduction Steps

export NODE_PRESERVE_SYMLINKS=1
mkdir audittest
cd audittest
npm init -y
npm i lodash
npm audit

Details

If you repeat the above commands without NODE_PRESERVE_SYMLINKS set, npm audit always succeeds.

$ cat /Users/gavin/.npm/_logs/2018-08-22T10_44_44_910Z-debug.log
0 info it worked if it ends with ok
1 verbose cli [ '/usr/local/Cellar/node/9.11.1/bin/node',
1 verbose cli   '/usr/local/bin/npm',
1 verbose cli   'audit' ]
2 info using npm@6.4.0
3 info using node@v9.11.1
4 verbose npm-session 4ad8fda85e375335
5 timing audit compress Completed in 2ms
6 info audit Submitting payload of 280 bytes
7 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 738ms
8 verbose stack Error: 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
8 verbose stack     at res.buffer.catch.then.body (/usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:94:15)
8 verbose stack     at <anonymous>
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:182:7)
9 verbose statusCode 400
10 verbose cwd /Users/gavin/Desktop/audittest
11 verbose Darwin 17.7.0
12 verbose argv "/usr/local/Cellar/node/9.11.1/bin/node" "/usr/local/bin/npm" "audit"
13 verbose node v9.11.1
14 verbose npm  v6.4.0
15 error code E400
16 error 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits
17 verbose exit [ 1, true ]

Platform Info

Reproduced on OSX with node 9 and npm 6.4.0, and Linux with node 8 and npm 6.2.0.

OSX:

$ npm --versions

{ audittest: '1.0.0',
  npm: '6.4.0',
  ares: '1.13.0',
  cldr: '33.0',
  http_parser: '2.8.0',
  icu: '61.1',
  modules: '59',
  napi: '3',
  nghttp2: '1.29.0',
  node: '9.11.1',
  openssl: '1.0.2o',
  tz: '2018c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.46-node.23',
  zlib: '1.2.11' }

$ node -p process.platform
darwin

Linux:

$ npm --versions
{ audittest: '1.0.0',
  npm: '6.2.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform
linux

(Nathan LaFreniere) #2

I just deployed a change that should correct this problem, thanks for letting us know!


(Gavin Aiken) #3

Thanks, certainly seems to have resolved the issue for me.


(system) #4

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.