npq: Can't auth with snyk

When I’m authed with the snyk cli snyk auth and there is a snyk config with my api token, npq is unable to query for known vulnerabilities:

    - Unable to query vulnerabilities for packages

But when I delete the snyk config rm -rf ~/.config/configstore/snyk.json, npq is running just fine.

So I have the situation, that I cant use both tools at the same time. Reproduced this behaviour on two different machines.

Expected Behavior

I expect, that the snyk cli can co-exist with the npq tool. So I can snyk test and npq i <whatever> in the same environment, without changing anything in my settings / configs.

Current Behavior

npq will run into an error with the vulnerabilities check when snyk cli is authed.

Possible Solution

Steps to Reproduce (for bugs)

  • Install snyk cli npm i -g snyk
  • Auth with snyk cli snyk auth
  • Install npq npm i -g npq
  • Install something through npq npq i axios
  • You should see an error
  • Delete the snyk config with api token rm -rf ~/.config/configstore/snyk.json
  • Install something through npq npq i axios
  • It should work fine

Your Environment

  • Mac, Node: v15.8.0
  • Windows, Node: v14.15.1

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 2
  • Comments: 15 (14 by maintainers)

Commits related to this issue

Most upvoted comments

Opened a PR. Had some problems with hooks not working on a Windows development environment, so I couldn’t really test it. This should only fix the API issue. Will open a different issue for the explicit version not being used.

+1
yoavain on Apr 19, 2021

For me - as a new user

+1
yoavain on Apr 18, 2021

Here’s what I can see from the snyk.marshall.js: Calling fetch on this https://snyk.io/api/v1/test/npm/axios/0.21.1 using my token results in this 403 error:

The org yoavain (.......) is not entitled for api access. Please upgrade your plan to access this capability
  • This is a different error from having an invalid token, which gets 401
  • getSnykVulnInfo is hiding this error message
  • Querying using snyk test axios did work for me (and gave an error when renamed the snyk.json file)

Not sure how Snyk licensing works and whether there’s any difference between the API npq uses and the one snyk test CLI uses. I can test tomorrow at work using a corporate token, on a Windows system, to see if I get a different result.

+1
yoavain on Apr 17, 2021

@yoavain I can’t reproduce this so it’s difficult on my end to guess where the issue is. Could you add some prints to the returned results of the snyk vulnerabilities query? perhaps the issue will become clear when we understand what the API call returns.

+1
lirantal on Apr 17, 2021
Read more comments on GitHub
← lockfile-lint: How to add exception to allow e.g. `git+ssh://git@gitlab.foo.bar`
other_video_transcoding: DVD slows down during scenes →