Unable to install couchbase as sub-dependency

losapevo · January 31, 2022, 11:23am

I have a repo called “backend-models” that I use as a container for my data models. In this repo I installed couchbase via npm, so is a direct dependency. I then installed my repo as dependency for other projects, in this case couchbase is a sub-depencency.
Starting from today I can no longer install my repo. When installing it I get this error:

npm ERR! Cannot convert undefined or null to object

...
566 verbose stack TypeError: Cannot convert undefined or null to object
566 verbose stack     at Function.keys (<anonymous>)
566 verbose stack     at Advisory.load (/Users/user/.nvm/versions/node/v14.16.1/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js:102:33)
566 verbose stack     at Calculator.[calculate] (/Users/user/.nvm/versions/node/v14.16.1/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/index.js:59:14)
566 verbose stack     at async Promise.all (index 0)
566 verbose stack     at async Map.[init] (/Users/user/.nvm/versions/node/v14.16.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:178:7)
566 verbose stack     at async Map.run (/Users/user/.nvm/versions/node/v14.16.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:106:7)
...

I am sure this is realated to couchbase, that’s because if I uninstall couchbase from my “backend-models” project, I am able to install it with no errors.

Since the stack refers to “audit” I think that this might be related to the fact that I get 3 high vulnerability by installing couchbase ^3.2.4 as a direct dependency in my “backend-models” project.

# npm audit report

simple-get  <4.0.1
Severity: high
Exposure of Sensitive Information in simple-get - https://github.com/advisories/GHSA-wpg7-2c88-r8xv
fix available via `npm audit fix --force`
Will install couchbase@2.3.3, which is a breaking change
node_modules/simple-get
  prebuild-install  <=6.1.4
  Depends on vulnerable versions of simple-get
  node_modules/prebuild-install
    couchbase  >=2.3.4
    Depends on vulnerable versions of prebuild-install
    node_modules/couchbase

3 high severity vulnerabilities

Get same audit report with all 3.*.* versions. That’s why audit suggest to downgrade to 2.3.3

Any suggestion? Will vulnerabilities be solved soon?

losapevo · January 31, 2022, 3:36pm

Ok the problem is the prebuild-install version. It seems they fix it 5 hours ago: Resolve vulnerability in dependencies (simple-get < 4.0.1) · Issue #172 · prebuild/prebuild-install · GitHub

If some couchbase sdk developer is reading, please update the prebuild-install package to resolve the issue

losapevo · February 7, 2022, 8:58am

From today I no longer have problems installing Couchbase as a sub-dependency. I don’t get the npm ERR! Cannot convert undefined or null to object anymore.
Don’t know what has changed, because couchbase is still v3.2.4. Maybe they fixed something related to metavuln-calculator

ingenthr · February 8, 2022, 7:48pm

Had a quick look. I don’t think we’ve broken anything here, so I’m glad it’s working now. Please let us know if you see further issues though.