KeyError thrown due to missing versions in uninstalled platform-specific NPM dependencies

[orzechowskid]

hi there! I'm investigating the integration of scfw into our toolchain and am coming across some behavior which i didn't expect.

running scfw audit npm, in my git repository containing a project managed by npm 10.9.3, gives me this error message:

[SCFW] ERROR: Malformed installed package report

even though as far as I could tell npm list --all --json returned a well-formed JSON object containing the expected properties.

while debugging this issue I noticed that npm.py assumes a "package" key is always present in dependency dictionaries (https://github.com/DataDog/supply-chain-firewall/blob/main/scfw/package_managers/npm.py#L181 ), but I don't think that's guaranteed to be true. for instance, one of this webapp's transitive dependencies is esbuild, which has its own dependencies which are platform-specific. on my mac, npm list --all --json | jq '.dependencies["vite"]' gives me the following (truncated for clarity):

{
  "version": "4.5.14",
  "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.14.tgz",
  "overridden": false,
  "dependencies": {
    "@types/node": {
      "version": "24.9.2"
    },
    "esbuild": {
      "version": "0.18.20",
      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.18.20.tgz",
      "overridden": false,
      "dependencies": {
        "@esbuild/android-arm": {},
        "@esbuild/android-arm64": {},
        "@esbuild/android-x64": {},
        "@esbuild/darwin-arm64": {
          "version": "0.18.20",
          "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.18.20.tgz",
          "overridden": false
        },
        "@esbuild/darwin-x64": {},
        "@esbuild/freebsd-arm64": {},
        "@esbuild/freebsd-x64": {},
        "@esbuild/linux-arm": {},
        <...>
      }
    },
<...>

a potential fix would be simple, looking something like this:

+              if package_data.get("version", None) is not None:
                  packages.add(Package(ECOSYSTEM.Npm, name, package_data["version"]))

but I wasn't sure if it was an explicit decision to throw a KeyError when no version info could be found, in the spirit of blocking 100% of attempted installations of known-vulnerable packages.

[JD2455]

I encountered this issue while running scfw audit npm on one of my Node.js projects. The command consistently fails with the following error:
[SCFW] ERROR: Malformed installed package report

Environment:
Node.js: 20.19.6
npm: 10.8.2

To further investigate, I created a minimal sample project with only a few dependencies, and the same error occurs. It appears to be triggered by the ts-node package for the sample project. This package depends on @swc/core and @swc/wasm, both of which are installed without package metadata. As a result, when running npm list --all --json, these two packages appear as empty objects ({}).

Since supply-chain-firewall performs a version check here: code ref, the missing metadata causes SCFW to throw the error:
[SCFW] ERROR: Malformed installed package report

I have also noticed similar behavior with other packages in different projects that declare peer dependencies as optional. Because npm does not automatically install optional peer dependencies, they also show up without metadata in the dependency tree, which appears to trigger the same issue.

Question
Is there a known workaround or planned fix in supply-chain-firewall for handling packages that appear without metadata?
If so, is there any estimated timeline for when this might be resolved? This can be applicable for many packages/libraries/plugins with optional peer dependencies.

Additional Resources
Sample Project by replicating the issue: Code
Output of npm ls --all -json: File

Error Message

• Dependency tree without any metadata of package (Output of npm ls --all -json)

• Output of scfw audit npm

@orzechowskid Have you found any resolution in supply chain firewall itself?
@ikretz I see you've assigned the issue to yourself. Do you have any insights?