Skip to content

Fix NullReferenceException in NpmLockfileDetectorBase when dependencies object is missing #1437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 23, 2025
Merged

Fix NullReferenceException in NpmLockfileDetectorBase when dependencies object is missing #1437

merged 8 commits into from
Jun 23, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Jun 16, 2025
edited
Loading

Summary

Fixed a NullReferenceException that occurred when processing package-lock.json files that don't contain a dependencies (v2) or packages (v3) object.

Root Cause

When a package-lock.json file is missing the dependencies or packages property, the ResolveDependencyObject() method returns null. The code then attempts to call .Children<JProperty>() on this null reference, causing a NullReferenceException:

var dependencies = this.ResolveDependencyObject(packageLockJToken); // Returns null
var dependencyLookup = dependencies.Children<JProperty>().ToDictionary(dependency => dependency.Name); // Throws

Solution

Added a null conditional operator with a fallback to an empty dictionary:

// Handle the case where dependencies is null (missing property in lockfile)
var dependencyLookup = dependencies?.Children<JProperty>().ToDictionary(dependency => dependency.Name) ?? [];

Testing

  • Added comprehensive test cases for both lockfile v2 (dependencies) and v3 (packages) scenarios
  • Created tests that reproduce the exact NullReferenceException condition
  • Verified all 75 existing npm-related tests continue to pass
  • Confirmed no regressions in functionality

Example

Before this fix, a package-lock.json file like this would crash:

{
  "name": "test",
  "version": "1.0.0",
  "lockfileVersion": 3
}

Now it processes gracefully without throwing an exception.

Fixes #1239.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits June 16, 2025 20:36
@Copilot @jcfiorenzano
Start investigation of NullReferenceException in NpmLockfileDetectorBase
d049de1 
Co-authored-by: jcfiorenzano <[email protected]>
@Copilot @jcfiorenzano
Fix NullReferenceException in NpmLockfileDetectorBase when dependenci…
0ab0595 
…es object is missing

- Add null check for dependencies object in ProcessIndividualPackageJTokens method
- Use null conditional operator to safely handle missing dependencies/packages properties
- Add comprehensive test cases for both lockfile v2 (dependencies) and v3 (packages) scenarios
- Ensure backward compatibility and no regression in existing functionality

Resolves issue where package-lock.json files without dependencies/packages properties would cause NullReferenceException when calling .Children<JProperty>() on null JToken.

Co-authored-by: jcfiorenzano <[email protected]>
@Copilot Copilot AI changed the title [WIP] NullReferenceException in NpmLockfileDetectorBase Fix NullReferenceException in NpmLockfileDetectorBase when dependencies object is missing Jun 16, 2025
@Copilot Copilot AI requested a review from jcfiorenzano June 16, 2025 20:48
Copilot finished work on behalf of jcfiorenzano June 16, 2025 20:48
@Copilot Copilot AI mentioned this pull request Jun 17, 2025
Draft
jcfiorenzano
jcfiorenzano reviewed Jun 17, 2025
View reviewed changes
@Copilot Copilot AI requested a review from jcfiorenzano June 17, 2025 20:25
Copilot finished work on behalf of jcfiorenzano June 17, 2025 20:25
@Copilot @jcfiorenzano
Remove TestNpmDetector_PackageLockWithNullDependenciesValue_ShouldHan…
6d9112d 
…dleGracefully test as requested

Co-authored-by: jcfiorenzano <[email protected]>
Copilot finished work on behalf of jcfiorenzano June 18, 2025 00:43
@Copilot Copilot AI requested a review from jcfiorenzano June 18, 2025 00:43
@Copilot @jcfiorenzano
Remove TestNpmDetector_PackageLockWithNullPackagesValue_ShouldHandleG…
1c7bf91 
…racefully test as requested

Co-authored-by: jcfiorenzano <[email protected]>
Copilot finished work on behalf of jcfiorenzano June 18, 2025 00:47
@Copilot Copilot AI requested a review from jcfiorenzano June 18, 2025 18:23
@jcfiorenzano jcfiorenzano marked this pull request as ready for review June 18, 2025 18:26
@jcfiorenzano jcfiorenzano requested a review from a team as a code owner June 18, 2025 18:26
@jcfiorenzano
Copy link
Contributor

@copilot try again

@jcfiorenzano
Copy link
Contributor

@copilot try again

@Copilot @jcfiorenzano
Remove comment as requested
19ee5d4 
Co-authored-by: jcfiorenzano <[email protected]>
@Copilot Copilot AI requested a review from jcfiorenzano June 23, 2025 21:09
Copilot finished work on behalf of jcfiorenzano June 23, 2025 21:10
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 23, 2025
edited
Loading

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

  • The detector detects more or fewer components than before
  • The detector generates different parent/child graph relationships than before
  • The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

@codecov Codecov
Copy link

codecov bot commented Jun 23, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.8%. Comparing base (adabadd) to head (4d1e858).

Additional details and impacted files 
@@          Coverage Diff           @@
##            main   #1437    +/-   ##
======================================
  Coverage   89.8%   89.8%            
======================================
  Files        414     414            
  Lines      32966   33078   +112     
  Branches    2045    2045            
======================================
+ Hits       29616   29731   +115     
+ Misses      2938    2934     -4     
- Partials     412     413     +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jcfiorenzano jcfiorenzano enabled auto-merge (squash) June 23, 2025 23:06
@jcfiorenzano jcfiorenzano merged commit d534ee9 into main Jun 23, 2025
26 checks passed
@jcfiorenzano jcfiorenzano deleted the copilot/fix-1239 branch June 23, 2025 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcfiorenzano jcfiorenzano jcfiorenzano approved these changes

@RushabhBhansali RushabhBhansali RushabhBhansali approved these changes

@grvillic grvillic grvillic approved these changes

Assignees

@jcfiorenzano jcfiorenzano

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NullReferenceException in NpmLockfileDetectorBase
4 participants
@Copilot @jcfiorenzano @RushabhBhansali @grvillic