audit: yarn npm audit failing with "cannot read property 'replace' of null"

[DaniAkash]

Self-service

• I'd be willing to implement a fix

Describe the bug

Running yarn npm audit is throwing - "Cannot read property 'replace' of null" error

To reproduce

Run yarn npm audit in this codesanbox's terminal

https://codesandbox.io/s/yarn-audit-issue-c43l4?file=/package.json

There's a vulnerable package - set-value@4.0.0 causing this issue

Prints the following output

sandbox@sse-sandbox-c43l4:/sandbox$ yarn npm audit
Type Error: Cannot read property 'replace' of null
    at Wse (/sandbox/.yarn/releases/yarn-3.0.2.cjs:558:40630)
    at wd.execute (/sandbox/.yarn/releases/yarn-3.0.2.cjs:558:42734)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async wd.validateAndExecute (/sandbox/.yarn/releases/yarn-3.0.2.cjs:197:620)
    at async ts.run (/sandbox/.yarn/releases/yarn-3.0.2.cjs:211:1846)
    at async ts.runExit (/sandbox/.yarn/releases/yarn-3.0.2.cjs:211:2013)
    at async i (/sandbox/.yarn/releases/yarn-3.0.2.cjs:310:12327)
    at async r (/sandbox/.yarn/releases/yarn-3.0.2.cjs:310:10567)

Environment

sandbox@sse-sandbox-c43l4:/sandbox$ yarn dlx -q envinfo --preset jest

  System:
    OS: Linux 5.4 Debian GNU/Linux 10 (buster) 10 (buster)
    CPU: (16) x64 Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz
  Binaries:
    Node: 14.17.6 - /tmp/xfs-224ad795/node
    Yarn: 3.0.2 - /tmp/xfs-224ad795/yarn
    npm: 6.14.15 - ~/.nvm/versions/node/v14.17.6/bin/npm

Additional context

The npm advisories https://www.npmjs.com/advisories are redirecting to github advisories, which may have caused this issue

[jdanil]

Hi @DaniAkash, is this still failing for you? It seems to be running fine for me now.
I wonder if at the time the CVE was reported there was no patch version, so there was no "recommendation" reported by the API.
That seems to be the only use of replace I can find in the audit source code. I think we could easily protect against it by adding a null check.