npm / package-json Goto Github PK

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

Related issues:

npm/npm#12133
npm/normalize-package-data#75

This package also makes the assumption that the presence of a preinstall script means that the package does not use a gyp file and that the default install script for such a package (node-gyp rebuild) does not need to be run.

This is an unnecessary assumption and one that breaks my package.

In my tests, when I remove this assumption, my package builds fine. Would it be possible to remove this assumption?

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Need to change the entire sourcecode for the npmjs project or use an local alias to install a different package B instead of package A.

Expected Behavior

I should be able to redirect installation of a npmjs A package to npmjs B package from package.json config.

Citing my repositories as an example to ensure not to make phpcgijs old versions unfindable. What I am wishing to do is redirect phpcgijs to cgijs

package.json

{
...
"repository": {
    "type": "git",
    "url": "https://github.com/ganeshkbhat/cgi-js.git",
    "redirect": "newpackagename_preferably--OR--differentrepository"
  }
}

OR

{
...
"redirect": "newpackagename_preferably"
"repository": {
    "type": "git",
    "url": "https://github.com/ganeshkbhat/cgi-js.git"
  }
}

Steps To Reproduce

NA

Environment

• npm: Current
• Node: Current
• OS: Windows / Linux / Mac
• platform: Windows / Linux / Mac

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

In arborist's inventory class it does its own attempts to normalize/account for license/licence but it ALSO is looking for licenses/licences, which @npmcli/package-json does not appear to to

https://github.com/npm/cli/blob/8ded848b099297a12a81ec008d6229f3ad3494a6/workspaces/arborist/lib/inventory.js#L62-L73

Expected Behavior

See if we can safely consolidate this normalization into this module, or at least see if we want to normalize the array/plural version.

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

It's not available on npm now.

https://www.npmjs.com/package/@npmcli/package-json

Expected Behavior

No response

Steps To Reproduce

1. In this environment - N/A
2. With this config N/A
3. Run 'yarn add @npmcli/package-json' or visit https://www.npmjs.com/package/@npmcli/package-json
4. See error...

Environment

• npm:
• Node:
• OS:
• platform:

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

In the package.json's bin documentation, it's documented that you can use an object with one or more bin file references OR use a single string.

Unfortunately, this is now marked as "error in your package.json when publishing".

Expected Behavior

I expected this notation to not be marked as an error, as the documentation clearly documents this as a valid option.

Steps To Reproduce

• $ npm init
• Add a bin file
• Configure "bin": "path/to/file.js"
• $ npm publish

Environment

• npm: 10.2.4
• Node: 20.10.0
• OS: MacOS Sonoma 14.2.1
• platform: Macbook Pro (14", 2023)

[email protected] was published but never tagged latest due to a bug found during release. below is a root cause of the bug, but the tl;dr is that [email protected] will be deprecated and [email protected] will be published once the bug is fixed.

we switched from read-package-json to @npmcli/package-json which recently received an update to bring all the features from the former to the latter. lost in this port was a minor change to normalizing package bins. previously we would not parse package.json#directories.bin if a package.json#bin was present (ref: https://github.com/npm/read-package-json/blob/main/lib/read-json.js#L351-L353) but now we do regardless of whether a bin object is there (ref: https://github.com/npm/package-json/blob/main/lib/normalize.js#L161)

next steps:

• deprecate [email protected]. this version exists on the registry and contains breaking changes that would impact users if you publish packages using both bin and directories.bin
• make a fix for this bug in @npmcli/package.json
• do a further analysis of the changes between read-package-json and @npmcli/package-json and assert this behavior in news tests to ensure no other breaking changes occurred
• do a new release for [email protected]

Originally posted by @lukekarrys in npm/cli#6470 (comment)

Build id is a pretty grey area for semver and the npm registry. Since it's not part of semver resolution it's stripped when sending the packument data, but kept in the package.json in the tarball.

Discussion at npm/cli#1479

npm pkg fix may want to not strip build id by default.

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When the scripts key is entirely missing from a package.json, the normalize function will report it as invalid and that it was removed, then delete. Of course, the key never existed at all, so deleting it does nothing.

See:
npm/cli#7127

Expected Behavior

If scripts being required to be at least an empty object is intended, then I'd expect normalize to set it to that instead of deleting it. If scripts can be omitted, then I'd expect it to not report them as invalid.

As an aside, the message Removed invalid "scripts" is very misleading if scripts was already missing.

Steps To Reproduce

1. npm init -y
2. npm pkg delete scripts
3. npm i @npmcli/package-json
4. Put this as index.js:

const changes = [];
require("@npmcli/package-json")
  .fix(".", { changes })
  .then(
    (res) => console.log(changes.join("\n"), res.content.scripts),
    console.error
  );

5. node index.js
6. Prints Removed invalid "scripts" undefined, it errored about the missing scripts, but didn't fix it.

Environment

• npm: 10.3.0
• Node: 21.9.0
• OS: macOS 13.6.3
• platform: Macbook Pro