[Bug?]: yarn npm audit fails with 400 error
#4117
Comments
|
Hm - I can reproduce it on this very repository as well. I'm sure it used to work, so perhaps a backend change broke something 🙁 |
|
@arcanis I tried a |
|
I have the same issue with the command Don't know what other debug information I can provide |
|
Looks like I managed to make a repro. It's offline because yarn version in the sherlock playground is 4.0.0rc2 and I failed to change it to required 3.2.0. Reproduction requires only {
"packageManager": "yarn@3.2.0",
"devDependencies": {
"@vue/cli-service": "~5.0.4"
}
}and command |
|
I believe I'm getting this error too. Here's my output: ❯ yarn npm audit -AR
➤ YN0035: Bad Request
➤ YN0035: Response Code: 400 (Bad Request)
➤ YN0035: Request Method: POST
➤ YN0035: Request URL: https://registry.yarnpkg.com/-/npm/v1/security/audits/quick
➤ Errors happened when preparing the environment required to run this command.
➤ This might be caused by packages being missing from the lockfile, in which case running "yarn install" might help. |
|
I've recently run into the same error Interestingly for me, the error doesn't occur when running |
|
For me the issue happened when one of the deep deps declared dependency in this weird format 'ethers-v4': 'npm:ethers@4'As soon as I upgraded to newer version that no longer has this line - issue stopped happening. The offender was this lib: npm info @eth-optimism/core-utils@0.0.1-alpha.30 dependenciesBefore that I did some debugging inside yarn code itself and the actual error happens on npm side when generated on the fly "package lock" from yarn gets submitted for audit. Npm essentially replies with error that some packages are missing from the lock file (I don't remember exact error though as I fixed this problem a few weeks ago). |
|
I managed to find another situation where this occurs.
"react-loadable": "npm:@docusaurus/react-loadable@5.5.2"Between I made it work by downgrading Yarn back to 3.1.1 but this is ofc not ideal. So I hope a better solution can be found, as I can imagine more people will run into this at some point. |
|
It should be great if yarn was able to output the payload sent to the registry server. |
|
I've looked in the payload by logging the request in the source code, but yes a native way would be great @Glandos. The dependency I have issues with is Does anybody have any clue by now? |
|
now
I cloned the npm repository and tested the same scenario, and if npm doesn't use In my opinion, the solution to this issue is:
|
|
I've published a minimal repro of the bug here: https://github.com/sargunv/audit-bug-repro/. The repo has three branches. The yarn-v3 branch repros this issue, while the yarn-v1 and npm branches show it can be audited successfully on those package managers. The minimal library I published to trigger the bug is here: https://www.npmjs.com/package/@sargunv/testlib-c |
|
The specific trigger is a construction like this in the dependency tree: https://github.com/sargunv/audit-bug-repro/blob/72cd19f2eb33a29505e4c8c653e4e7b551fc7138/yarn.lock#L19 "@sargunv/testlib-c@npm:^0.1.0":
version: 0.1.0
resolution: "@sargunv/testlib-c@npm:0.1.0"
dependencies:
"@sargunv/fake-testlib-a": "npm:@sargunv/testlib-a@^0.1.0". # THIS LINE
checksum: 026c9a8be2f5ddee32a4bfba97d093ac0ba947851c74755240bc87536af579f95ab2c2b9e17fbcc9cde840d7842e7502ed904599a7fabd6324185e3eee889683
languageName: node
linkType: hard |
|
I did a bit of digging with an HTTPS proxy. Yarn v3Here's a sample request body for the /quick endpoint that Yarn uses, generated from my above linked repro project. {
"requires": {
"@sargunv/testlib-c": "^0.1.0"
},
"dependencies": {
"audit-bug-repro": {
"version": "0.0.0-use.local",
"integrity": "0069b1507df7fda1a72cbcea230138bbf288eb1b1217be39c92e38aa99e645d8c2590978a7fb82eaf176ad2861b62ce5e1766063d605534146ccb96874f44f73",
"requires": {
"@sargunv/testlib-c": "^0.1.0"
},
"dev": false
},
"@sargunv/testlib-c": {
"version": "0.1.0",
"integrity": "6cb68cb06e6edf019ff5a5cd314ca8a3d00ec0853a3e9f19af0d108c169f1c85b364641654cc452dd53cc50b0745a3fedd78b8899f4cf02a5ea7f97a25e34400",
"requires": {
"@sargunv/fake-testlib-a": "@sargunv/testlib-a@^0.1.0"
},
"dev": false
},
"@sargunv/testlib-a": {
"version": "0.1.0",
"integrity": "7732f389a7070c3eae9d0b14ef941a3d7d36568d5b83ea58d823d70a070e80ff8ff6c8354a4391762da3ffc243167e117f2a247ded5cb0d38fca24dfca5bc2f7",
"requires": {},
"dev": false
}
}
}My best guess is that the audit endpoint rejects it because the dependency tree doesn't look complete; there appears to be a dependency The error from NPM's /quick endpoint for the above request is as follows: {
"statusCode": 400,
"error": "Bad Request",
"message": "Invalid package tree, run npm install to rebuild your package-lock.json"
}Additionally, I can confirm that this issue affects any released version of Yarn Berry since NPMNow, here's what the request looks like when using the /bulk endpoint (with the npm cli, on the same project): {
"@sargunv/testlib-a": [
"0.1.0"
],
"@sargunv/testlib-c": [
"0.1.0"
]
}The "fake" dependency name is no longer relevant; the request simply includes a hash of package names, each with a list of versions included in the tree. This request succeeds. Yarn v1Finally, this is the request Yarn v1 sends. It uses neither the /quick nor the /bulk endpoint, but a different /audits endpoint. {
"name": "audit-bug-repro",
"install": [],
"remove": [],
"metadata": {},
"requires": {
"@sargunv/testlib-c": "^0.1.0"
},
"dependencies": {
"@sargunv/testlib-c": {
"version": "0.1.0",
"integrity": "sha512-yYzZOaFg/OKwogF4IXxrB/fKctJOTE3MhhbyaR7LU+C0uAlXfzvlLP2Ie6WYU1IXEWLFfOXDy8lmEmRyQk1ZsQ==",
"requires": {
"@sargunv/fake-testlib-a": "npm:@sargunv/testlib-a@^0.1.0"
},
"dependencies": {},
"dev": false
},
"@sargunv/fake-testlib-a": {
"version": "0.1.0",
"integrity": "sha512-Fn64vahG+47n9xScHD9vViPF+twOhSg9g7sH9hTsJ4DwRHJZgIgeYf82MRoX6nURgzpksRoE4n3hxcd3o8XFxg==",
"requires": {},
"dependencies": {},
"dev": false
}
},
"dev": false
}In this case, Yarn v1 forms the request using the "fake" name of the dependency key, not the "real" name of the dependency version/resolution. This request also succeeds. Sure enough, if I manually tweak the original request to do the same, NPM no longer says "bad request"!:
|
**What's the problem this PR addresses?** The current audit implementation uses the older `/audit/quick` endpoint, which has various problems. One particular is that its design requires to submit a nested payload, but since it doesn't make much sense in our case (because most of Yarn installs are flat), we flatten the package list. It causes problems when multiple packages with different versions can be found in the tree. Fixes #3861 Fixes #4117 Fixes #5408 Closes #5409 (Supercedes it) --- Edit by @merceyz Fixes #5450 Fixes #2507 Fixes #3778 Fixes #3945 Closes #5309 (Doesn't have a reproduction so I'm assuming it's the same as the others) --- **How did you fix it?** This change rewrites `yarn npm audit` to use the new endpoint. As part of the migration a couple of fields are reworked (`Via` is replaced by `Dependents`, the versions are now part of a tree item rather than concatenated, we don't get the "recommendation" anymore). The options remain the same for now. It's possible that some registries don't support the bulk endpoint. Given that it's fairly straightforward to implement, that it's been released for some time now, and that without it we would end up with an invalid `audit` implementation, I'd tend to let them deal with that. **Checklist** <!--- Don't worry if you miss something, chores are automatically tested. --> <!--- This checklist exists to help you remember doing the chores when you submit a PR. --> <!--- Put an `x` in all the boxes that apply. --> - [x] I have read the [Contributing Guide](https://yarnpkg.com/advanced/contributing). <!-- See https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released for more details. --> <!-- Check with `yarn version check` and fix with `yarn version check -i` --> - [x] I have set the packages that need to be released for my changes to be effective. <!-- The "Testing chores" workflow validates that your PR follows our guidelines. --> <!-- If it doesn't pass, click on it to see details as to what your PR might be missing. --> - [x] I will check that all automated PR checks pass before the PR gets reviewed.
* devDeps: @lavamoat/allow-scripts@2.0.3->2.3.1 Note: As of right now, this causes depcheck script to fail under yarn due to a server error in NPM registry triggered by yarnpkg/berry#4117. As can be seen in that issue, the results from this script have already been invalid since the upgrade from yarnv1 to yarnv3 and a change of package manager version or dependency-auditing script will have to be made.
|
Still seeing this with 3.6.3. In my case, the problem must be deep in my dependency tree and not in direct dependencies, because if I don't |
|
As mentioned in the PR that closed this issue, since it's a major change to the implementation, it won't be released in 3.x. You can already use the RCs, though, and the stable isn't very far. |
|
@arcanis thanks for the info. Unfortunately v4 (4.0.0-rc.50) doesn't work properly with the offline package cache in node 18.x. I get tons of node 18.x node 20.x |
|
The global cache is now opt-in rather than opt-out in 4.x - the migration to keep the old behaviour ( The Node version shouldn't change anything for this check - perhaps you ran one of the commands without the immutable flags and populated your cache, and thought it was caused by the Node version change? 🤔 |
|
Seems to be specific to alpine/musl and not related to the node version. Does that make more sense? When running |
|
Running Thanks for the support @arcanis EDIT: Seems to have been caused by the missing |
Self-service
Describe the bug
Running
yarn npm audit -ARfails in the Jest repo with a 400 error from the npm registry.To reproduce
Environment
System: OS: macOS 12.1 CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz Binaries: Node: 16.14.0 - /private/var/folders/gj/0mygpdfn6598xh34njlyrqzc0000gn/T/xfs-9e7a75e5/node Yarn: 3.2.0-rc.15.git.20220211.hash-32c522a7c - /private/var/folders/gj/0mygpdfn6598xh34njlyrqzc0000gn/T/xfs-9e7a75e5/yarn npm: 8.4.1 - ~/.nvm/versions/node/v16.14.0/bin/npm npmPackages: jest: workspace:* => 28.0.0-alpha.0Additional context
I've added a log statement after the network call, and the reported error from npm is
The text was updated successfully, but these errors were encountered: