[BUG] Invalid semver in package history causes crash when installing a package #5017
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Installing a package with an invalid semver in its version history causes npm to crash. I wasn't sure if this was a bug with https://github.com/npm/metavuln-calculator or here (or somewhere else), but I thought I'd open the issue here first, since the maintainers probably know best where this bug belongs.
Using --no-audit causes the installation to succeed, so what seems like is happening is that package audit happens on install, not just for the version being installed, but for all versions of the package. Since the yui package has an invalid semver in its version history, when the package audit step iterates over all versions, it causes a crash. This is my guess, and I'm opening an issue here to confirm that this is the case.
After running npm i yui@3.18.1 here's the error:
npm ERR! Invalid Version: 3.5.0pr2
And the relevant debug log:
258 verbose stack TypeError: Invalid Version: 3.5.0pr2
258 verbose stack at new SemVer (/Users/bjornstange/.npm/lib/node_modules/npm/node_modules/semver/classes/semver.js:38:13)
258 verbose stack at compareBuild (/Users/bjornstange/.npm/lib/node_modules/npm/node_modules/semver/functions/compare-build.js:3:20)
258 verbose stack at /Users/bjornstange/.npm/lib/node_modules/npm/node_modules/semver/functions/sort.js:2:51
258 verbose stack at Array.sort (<anonymous>)
258 verbose stack at Object.sort (/Users/bjornstange/.npm/lib/node_modules/npm/node_modules/semver/functions/sort.js:2:36)
258 verbose stack at Advisory.[calculateRange] (/Users/bjornstange/.npm/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js:169:28)
258 verbose stack at Advisory.load (/Users/bjornstange/.npm/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js:157:28)
258 verbose stack at Calculator.[calculate] (/Users/bjornstange/.npm/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/index.js:60:14)
258 verbose stack at async Promise.all (index 0)
258 verbose stack at async Map.[init] (/Users/bjornstange/.npm/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:186:9)
Expected Behavior
npm i yui@3.18.1 should succeed and not crash npm.
Steps To Reproduce
- With node 16.15.1 and npm 8.12.1
- Run
npm i yui@3.18.1 - See error/logs, specifically
npm ERR! Invalid Version: 3.5.0pr2
Environment
- npm: 8.11.0
- Node.js: 16.15.1
- OS Name: Mac OS 12.4 Monterey
- System Model Name: MacBook Pro
- npm config:
; "user" config from /Users/bjornstange/.npmrc
prefix = "/Users/bjornstange/.npm"
; node bin location = /Users/bjornstange/.n/bin/node
; node version = v16.15.1
; npm local prefix = /Users/bjornstange/expel/adhoc/npm_crash
; npm version = 8.12.1
; cwd = /Users/bjornstange/expel/adhoc/npm_crash
; HOME = /Users/bjornstange
; Run `npm config ls -l` to show all defaults.