fix: remove and log vulns with no upgradeable path

snyk · May 29, 2017 · b1039d3 · b1039d3
1 parent 71bd6c4
commit b1039d3
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/lib/protect/update.js b/lib/protect/update.js
@@ -9,6 +9,7 @@ var errors = require('../error');
 var npm = require('../npm');
 var yarn = require('../yarn');
 var spinner = require('../spinner');
+var analytics = require('../analytics');
 
 function update(packages, live, pkgManager) {
   pkgManager = pkgManager || 'npm';
@@ -22,14 +23,20 @@ function update(packages, live, pkgManager) {
 
     var upgrade = packages
     .map(function (vuln) {
-      var remediation = vuln.upgradePath.filter(Boolean)[0];
+      var remediation = vuln.upgradePath[1];
+      if (!remediation) {
+        // this vuln holds an unreachable upgrade path - send this to analytics
+        // and return an empty object to be filtered
+        analytics.add('bad-upgrade-path', vuln);
+        return null;
+      }
       upgradeWithoutVersions.push(remediation.split('@').shift());
-
       return {
         remediation: remediation,
         type: vuln.parentDepType || 'prod',
       };
     })
+    .filter(Boolean)
     .reduce(function (ups, vuln) {
       if (!ups[vuln.type]) {
         ups[vuln.type] = [];