NPM's suggestion for package lock and audit is misleading or doesn't work - 2nd attempt


(Jcollum Nike) #1
✗ npm audit          
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/jcol53/.npm/_logs/2018-12-11T01_05_30_522Z-debug.log

`Try creating one first with: npm i --package-lock-only` ?

ok, will do:

✗ npm i --package-lock-only
npm WARN deprecated gulp-util@3.0.8: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
...
ages, updated 1712 packages and audited 36637 packages in 17.361s
found 5 vulnerabilities (4 low, 1 moderate)
  run `npm audit fix` to fix them, or `npm audit` for details

OK I want to see details:

✗ npm audit
npm ERR! code EAUDITNOLOCK 
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/jcol53/.npm/_logs/2018-12-11T01_06_30_214Z-debug.log

“Try creating one first with: npm i --package-lock-only”? WTF didn’t I just do that??

Why is NPM giving me bad instructions here?


(Lars Willighagen) #2

So did npm i --package-lock-only create a package-lock.json and did it still error, or was the file not created at all?


(Jcollum Nike) #3

Just ran this sequence:

  npm audit
  ll package-lock.json # none found
  npm i --package-lock-only
  ll package-lock.json # none found

It didn’t create the file. This project was previously using yarn, could that be part of the problem?


(Lars Willighagen) #4

What’s your Node.js and npm versions (npm --versions)?

I don’t know how, but who knows…


(Jcollum Nike) #5
{ npm: '6.4.1',
ares: '1.10.1-DEV',
cldr: '32.0',
http_parser: '2.8.0',
icu: '60.1',
modules: '57',
napi: '3',
nghttp2: '1.32.0',
node: '8.11.4',
openssl: '1.0.2p',
tz: '2017c',
unicode: '10.0',
uv: '1.19.1',
v8: '6.2.414.54',
zlib: '1.2.11' }

$ node --version
v8.11.4

Also I just updated to NPM 6.5.0 and got the same result above (no package-lock)


(Lars Willighagen) #6

What do

npm config get package-lock

and

npm config get shrinkwrap

return when run in the project directory? There could be some configuration somewhere that blocks all writes (I probably should have thought of that earlier).


(Jcollum Nike) #7
$ npm config get package-lock
false

$ npm config get shrinkwrap
true

I don’t see anything in my npmrc that’s relevant to those…


(Lars Willighagen) #8

If you don’t have to much configuration, you should be able to see where it’s defined by running

$ npm config ls

and looking for package-lock. If there’s nothing there you can check (w/ bash)

$ npm config ls -l | grep package-lock

to see if the default value is correct (I don’t know what’s happened if it isn’t, but then we know).


(Jcollum Nike) #9
✗ npm config ls -l | grep package-lock
package-lock = false
; package-lock = true (overridden)
package-lock-only = false

That help?


(Lars Willighagen) #10

That shows the default is correct; you should be able to see how it’s defined with a regular npm config ls. It could also be environment variables (but that shows up in the output of that command too).


(Jcollum Nike) #11

Well I’m not sure what to do next then. The settings seem correct but the file is not being generated, yeah?


(Jcollum Nike) #12

Bumping because of Xmas holiday.


(Lars Willighagen) #13

Some configuration, most likely on your end, is incorrect (for your purposes at least). You can check where it’s configured by running

$ npm config ls

and looking for the part that has package-lock = false. For example, my output is

; cli configs
metrics-registry = "https://registry.npmjs.org/"
scope = ""
user-agent = "npm/6.6.0-next.0 node/v10.14.2 linux x64"

; project config /[omitted]/npm.community/104/.npmrc
package-lock = false

; userconfig /[omitted]/.npmrc
key1 = "value1"

; node bin location = /usr/local/bin/node
; cwd = /[omitted]/npm.community/104
; HOME = /[omitted]
; "npm config ls -l" to show all defaults.

Here, package-lock = false comes from the projectconfig. It also shows the filename where you can find that configuration (which I redacted here in part). If the configuration comes from a env variable instead, it can look like this:

$ NPM_CONFIG_PACKAGE_LOCK=false npm config ls
; cli configs
metrics-registry = "https://registry.npmjs.org/"
scope = ""
user-agent = "npm/6.6.0-next.0 node/v10.14.2 linux x64"

; environment configs
package-lock = false

; userconfig /[omitted]/.npmrc
key1 = "value1"

; node bin location = /usr/local/bin/node
; cwd = /[omitted]/npm.community/104
; HOME = /[omitted]
; "npm config ls -l" to show all defaults.

(Jcollum Nike) #14

That fixed it, thanks for the thorough reply.

Took out the package-lock=false in my npmrc and then ran the commands in the first post again. Now I’m getting an audit output.

For the maintainers: looks like having package-lock=false will block the audit from working normally. It would be helpful to have a check and a message for that.


check for `package-lock=false` in configs before executing `npm i --package-lock-only`
(system) #15

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.