Skip to content

Add support for NPM lockfileVersion v3 #476

New issue
New issue
Closed
#490
Closed
Add support for NPM lockfileVersion v3#476
#490
Labels
detector:npmThe npm detectorstatus:requirementsFull requirements are not yet known, so implementation should not be startedtype:featureFeature (new functionality)
@melotic

Description

@melotic
melotic
opened on Mar 13, 2023

GitHub recently pushed updates to their runners, upgrading their npm version from 8.19.3 to 9.3.11. It seems also that Azure DevOps has updated their runners. With NPM 9, the package-lock.json format has changed by default, and it is not backwards compatible with other version of NPM. Running npm install, with NPM 9 automatically upgrades the package-lock.json to lockfile version 3.

"lockfileVersion": 3 The lockfile version used by npm v7, without backwards compatibility affordances. This is used for the hidden lockfile at node_modules/.package-lock.json, and will likely be used in a future version of npm, once support for npm v6 is no longer relevant. 2

When CD attempts to process a package-lock.json with a v3 lockfile, we throw an exception because of the new package-lock.json format:

[09:20:18 INF] Could not parse Jtokens from C:\Users\justinperez\Documents\RPE.Partner.Service.Customers.UI\package-lock.json file.
System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.ComponentDetection.Detectors.Npm.NpmComponentDetectorWithRoots.ProcessIndividualPackageJTokens(ISingleFileComponentRecorder singleFileComponentRecorder, JToken packageLockJToken, IEnumerable`1 packageJsonComponentStream, Boolean skipValidation) in C:\component-detection\src\Microsoft.ComponentDe
tection.Detectors\npm\NpmComponentDetectorWithRoots.cs:line 153
   at Microsoft.ComponentDetection.Detectors.Npm.NpmComponentDetectorWithRoots.<>c__DisplayClass28_0.<OnFileFoundAsync>b__1(JToken token) in C:\component-detection\src\Microsoft.ComponentDetection.Detectors\npm\NpmComponentDetectorWithRoots.cs:line 120
   at Microsoft.ComponentDetection.Detectors.Npm.NpmComponentDetectorWithRoots.ProcessAllPackageJTokensAsync(IComponentStream componentStream, JTokenProcessingDelegate jtokenProcessor) in C:\component-detection\src\Microsoft.ComponentDetection.Detectors\npm\NpmComponentDetectorWithRoots.cs:line 144
   at Microsoft.ComponentDetection.Detectors.Npm.NpmComponentDetectorWithRoots.SafeProcessAllPackageJTokensAsync(IComponentStream componentStream, JTokenProcessingDelegate jtokenProcessor) in C:\component-detection\src\Microsoft.ComponentDetection.Detectors\npm\NpmComponentDetectorWithRoots.cs:line 256

We need to update our NPM detector to handle the new v3 lockfile.

AB#2134282

Footnotes

  1. https://github.com/actions/runner-images/commit/e1f0c3f22606d0a0535819d68ac6c7b05c752343

  2. https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json

Metadata

Metadata

Assignees

No one assigned

    Labels

    detector:npmThe npm detectorstatus:requirementsFull requirements are not yet known, so implementation should not be startedtype:featureFeature (new functionality)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions