Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Invalid payload submitted to Node Audit API. Received response code: 400 Bad Request
See original GitHub issueIn our project the dependency-check fails on the Node Audit analyzer with the error:
Could not perform Node Audit analysis. Invalid payload submitted to Node Audit API.
However, this is NOT the same problem as in #2641
Investigating I found out that in fact the payload, which is generated in https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzer.java#L184, seems not to be accepted by the NPM REST API.
What I did was
- run the dependency check (in my case throught the CLI like this:
dependency-check -s . --disableYarnAudit --log dependencycheck.log - open the file
dependencycheck.logand find the payload in there (close to the lineNode Audit Payload) and copy it - run the call to
https://registry.npmjs.org/-/npm/v1/security/auditsmanually with curl or Postman like this
curl --location --request POST 'https://registry.npmjs.org/-/npm/v1/security/audits' \
--header 'Content-Type: application/json' \
--data-raw 'PLACE-PAYLOAD-HERE'
and I get the same error
{
"statusCode": 400,
"error": "Bad Request",
"message": "Invalid package tree, run npm install to rebuild your package-lock.json"
}
When I run npm audit it works though, so I think it’s not a problem with my package-lock.json or with NPM.
Here is the payload in our example nodeaudit_payload.txt
So, the problem must be somewhere in NpmPayloadBuilder.java.
Stripping down the payload on a trial-and-error basis, the error persists and only goes away when the entries in section requires resemble the entries in section dependencies - but not sure if that is really the rule.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:13 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@ryandutton : Under normal circumstances you will not see any error from
npm auditbecause this command will first issue a bulk request - different endpoint and different format https://docs.npmjs.com/cli/v8/commands/npm-audit#bulk-advisory-endpoint - and only if that fails it will issue a request to the quick audit endpoint (the one used bydependency-check). But if you intercept the HTTP request to the bulk endpoint and fail that, then you will see the quick audit endpoint failing just like you see independency-checkSo maybe we have two issues here:dependency-check: try to use the bulk end point first just likenpm auditnpm: the quick audit endpoint is failing on legitimatepackage-lock.json(generated bynpm!)by the way - I only saw this occuring after upgrading by Nx repo to Nx 14.3.5 and Angular 14.0.1
node 16.15.0andnpm 8.5.5Would it be a good idea to skip node audit analyser with flag
--disableNodeAuditfor now until this is fixed? and use audit-ci