Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM dependencies that point to Git / GitHub repos cannot be processed anymore #5632

Closed
ekandler opened this issue Aug 3, 2022 · 1 comment · Fixed by #5675
Closed

NPM dependencies that point to Git / GitHub repos cannot be processed anymore #5632

ekandler opened this issue Aug 3, 2022 · 1 comment · Fixed by #5675
Assignees
@sschuberth
Labels
analyzer About the analyzer tool bug Issues that are considered to be bugs

Comments

@ekandler
Copy link

ekandler commented Aug 3, 2022

The support for npm dependencies that point to repositories, introduced in #4044 , seems to be broken, as calling 'npm view' on a package that is not in the official npm registry triggers an IOException.

Dependency in package.json

"angular-tileview": "github:tinydesk/angular-tileview",

Scanner output

09:20:59.844 [DefaultDispatcher-worker-1] ERROR org.ossreviewtoolkit.analyzer.managers.Npm - Resolving NPM dependencies for path 'package.json' failed with: IOException: Running 'npm view --json angular-tileview@0.6.1' in '[...]' failed with exit code 1:                                                                                                                                   
{                                                                                                                                                                                                                                                                                                                                                                                                                                   
  "error": {                                                                                                                                                                                                                                                                                                                                                                                                                        
    "code": "E404",                                                                                                                                                                                                                                                                                                                                                                                                                 
    "summary": "'angular-tileview' is not in the npm registry.\nYou should bug the author to publish it\n(or use the name yourself!)\n\nNote that you can also install from a\ntarball, folder, http url, or git url.",                                                                                                                                                                                                             
    "detail": "\n 'angular-tileview@0.6.1' is not in the npm registry.\nYou should bug the author to publish it (or use the name yourself!)\n\nNote that you can also install from a\ntarball, folder, http url, or git url."                                                                                                                                                                                                       
  }                                                                                                                                                                                                                                                                                                                                                                                                                                 
}

Furthermore, if a dependency (that points to a git repository) is also present in the official npm registry, wrong information might be pulled, as it might not be the same package.
@tsteenbe tsteenbe added bug Issues that are considered to be bugs analyzer About the analyzer tool labels Aug 3, 2022
@sschuberth
Copy link
Member

Some notes to myself, because I wondered about a few things while debugging this:

  1. As no version is specified in "github:tinydesk/angular-tileview", NPM will default to master.
  2. The version in master is 0.6.1 (which is a whopping 6 years old; no one should be using this anymore, really).
  3. There are actually more recent versions tagged, but their code it not in master.
  4. No version of angular-tileview is published in the NPM package registry.

All in all, again a "nice" example for weird dependency management in the NPM world...

sschuberth added a commit that referenced this issue Aug 23, 2022
@sschuberth
Npm: Do not fail hard if enriching incomplete data from the NPM regis…
753f567 
…try fails

This allows to handle packages that were never published to the NPM
registry but only ever referenced by (short) repository URL.

Fixes #5632.

Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
@sschuberth sschuberth mentioned this issue Aug 23, 2022
Merged
@sschuberth sschuberth self-assigned this Aug 23, 2022
@sschuberth sschuberth mentioned this issue Feb 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sschuberth sschuberth

Labels
analyzer About the analyzer tool bug Issues that are considered to be bugs
Projects
None yet
Milestone
No milestone
3 participants
@sschuberth @tsteenbe @ekandler