[BUG] Error during audit when installing 2 aliased versions of the same package.

[DanielCausebrook]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Running these commands in an empty directory causes NPM to fail:

npm i bootstrap3-1-1@npm:bootstrap@3.1.1
npm i bootstrap3-3-7@npm:bootstrap@3.3.7

This results in:

npm error Cannot read properties of null (reading 'name')
npm error A complete log of this run can be found in: /root/.npm/_logs/2025-02-19T16_11_24_866Z-debug-0.log

On around 2024-02-01, I had these two packages installed without any errors. I can confirm the package versions were the same, with the same integrity hashes. Unless I was doing something different at the time, I am assuming this must be a regression from npm?

Running it on verbose shows:

0.297 npm verbose cli /usr/local/bin/node /usr/local/bin/npm                                                                                                                                                                                                                       
0.297 npm info using npm@11.1.0                                                                                                                                                                                                                                                    
0.298 npm info using node@v23.8.0                                                                                                                                                                                                                                                  
0.300 npm verbose title npm i bootstrap3-3-7@npm:bootstrap@3.3.7                                                                                                                                                                                                                   
0.300 npm verbose argv "i" "bootstrap3-3-7@npm:bootstrap@3.3.7" "--loglevel" "verbose"
0.300 npm verbose logfile logs-max:10 dir:/root/.npm/_logs/2025-02-19T16_11_24_866Z-
0.304 npm verbose logfile /root/.npm/_logs/2025-02-19T16_11_24_866Z-debug-0.log
0.684 npm http fetch GET 200 https://registry.npmjs.org/bootstrap 173ms (cache updated)
0.704 npm http cache bootstrap3-3-7@https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz 0ms (cache hit)
0.882 npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 181ms
0.940 npm http fetch GET 200 https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz 235ms (cache miss)
0.950 npm http fetch GET 200 https://registry.npmjs.org/bootstrap 65ms (cache miss)
0.975 npm verbose stack TypeError: Cannot read properties of null (reading 'name')
0.975 npm verbose stack     at npa (/usr/local/lib/node_modules/npm/node_modules/npm-package-arg/lib/npa.js:28:20)
0.975 npm verbose stack     at FetcherBase.get (/usr/local/lib/node_modules/npm/node_modules/pacote/lib/fetcher.js:474:16)
0.975 npm verbose stack     at Object.packument (/usr/local/lib/node_modules/npm/node_modules/pacote/lib/index.js:21:30)
0.975 npm verbose stack     at [packument] (/usr/local/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/index.js:109:22)
0.975 npm verbose stack     at [calculate] (/usr/local/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/index.js:57:23)
0.975 npm verbose stack     at Calculator.calculate (/usr/local/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/index.js:45:31)
0.975 npm verbose stack     at [init] (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:177:44)
0.975 npm verbose stack     at async AuditReport.run (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:109:7)
0.975 npm verbose stack     at async Arborist.reify (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js:268:24)
0.975 npm verbose stack     at async Install.exec (/usr/local/lib/node_modules/npm/lib/commands/install.js:149:5)
0.975 npm error Cannot read properties of null (reading 'name')
0.976 npm verbose cwd /usr/src/app
0.976 npm verbose os Linux 6.10.14-linuxkit
0.976 npm verbose node v23.8.0
0.976 npm verbose npm  v11.1.0
0.976 npm verbose exit 1
0.976 npm verbose code 1
0.976 npm error A complete log of this run can be found in: /root/.npm/_logs/2025-02-19T16_11_24_866Z-debug-0.log

Looking at the stack trace, it seems the issue is with the auditing. Indeed, the error is not triggered if the --no-audit flag is used.

Expected Behavior

The packages should both be installed, with different aliases.

Steps To Reproduce

The following dockerfile reproduces the issue for me:

FROM node:alpine

WORKDIR /usr/src/app

RUN npm install -g npm@latest

RUN npm i bootstrap3-1-1@npm:bootstrap@3.1.1
RUN npm i bootstrap3-3-7@npm:bootstrap@3.3.7 --loglevel verbose

# Passing --no-audit causes the command to succeed.
# RUN npm i bootstrap3-3-7@npm:bootstrap@3.3.7 --no-audit

Environment

• npm: 11.1.0
• Node.js: 23.8.0
• OS Name: (Used Docker image node:alpine. Also replicated on macOS 15.2, M1 Macbook Pro.)
• System Model Name: See above
• npm config:

; node bin location = /usr/local/bin/node
; node version = v23.8.0
; npm local prefix = /usr/src/app
; npm version = 11.1.0
; cwd = /usr/src/app
; HOME = /root
; Run `npm config ls -l` to show all defaults.

[DanielCausebrook]

As mentioned above, I got these packages installed last year without issue, which is why I assumed it was an npm regression.

I have just tried running this with older versions of npm(1), and it still triggers the error. So, I apologise if this is all due to a misunderstanding or misconfiguration on my end.

(1) I tried pulling from older docker images like node:17-alpine, without then updating npm.

It still seems odd that --no-audit would resolve this, though. So I'll leave this open - I suppose it could be caused by new/updated security advisories creating the conditions to trigger a bug?

[milaninfy]

@DanielCausebrook in your empty directory, did you run npm init to initialize package.json file ?

[DanielCausebrook]

Good grief, is that all it was? Yes, running npm init does prevent the error.

Specifically, the error occurs if the package.json file is missing the name key. In the context of my docker example, this works:

FROM node:alpine
WORKDIR /usr/src/app
RUN npm install -g npm@latest

RUN npm init --yes
# Or
# RUN echo '{"name":"test"}' >> ./package.json

RUN npm i bootstrap3-1-1@npm:bootstrap@3.1.1
RUN npm i bootstrap3-3-7@npm:bootstrap@3.3.7 --loglevel verbose

However, this situation still feels problematic to me. The manner in which this fails makes the cause unclear:

• The errors emitted are not specific, and I have observed it failing without emitting any errors at all
• The error occurs inside an unrelated component (audit)
• The error only occurs under very specific conditions (e.g. if any of the dependencies is changed to v5, the error is not triggered)

If a field is required, perhaps npm should emit a more useful warning at the time package.json is parsed? This seems better than triggering random errors further down the line.

That being said, I am aware that running npm init is a pretty basic step to have missed. In that respect, sorry for wasting your time. Would you like me to:

• Close this issue?
• Close this issue and create a feature request for more useful warnings?
• Leave this open to treat the lack of warnings as a bug?

[milaninfy]

@DanielCausebrook

That being said, I am aware that running npm init is a pretty basic step to have missed. In that respect, sorry for wasting your time. Would you like me to:

No problem at all. Yes this do seems like a legit error, however I think we have similer issue reported in past related to name property being undefined so we can close this as duplicate to that issue. I'll close it once I find that reference.