refactor(@angular/cli): add validation and logging to npm manifest parsing

clydin · clydin · commit 4a78ddc6584f · 2026-05-07T11:07:03.000-04:00
Introduce a reusable `isValidManifest` type guard to ensure that parsed manifests contain both `name` and `version` strings. This applies to both single object responses and elements within an array response from the package manager.
diff --git a/packages/angular/cli/src/package-managers/parsers.ts b/packages/angular/cli/src/package-managers/parsers.ts
@@ -12,11 +12,11 @@
  * into their own file improves modularity and allows for focused testing.
  */
 
+import { compare, valid } from 'semver';
 import { ErrorInfo } from './error';
 import { Logger } from './logger';
 import { PackageManifest, PackageMetadata } from './package-metadata';
 import { InstalledPackage } from './package-tree';
-import { compare } from 'semver';
 
 const MAX_LOG_LENGTH = 1024;
 
@@ -217,6 +217,18 @@ export function parseYarnClassicDependencies(
   return dependencies;
 }
 
+function isValidManifest(obj: unknown): obj is PackageManifest {
+  if (typeof obj !== 'object' || obj === null) {
+    return false;
+  }
+
+  const record = obj as Record<string, unknown>;
+  const name = record.name;
+  const version = record.version;
+
+  return typeof name === 'string' && typeof version === 'string' && valid(version) !== null;
+}
+
 /**
  * Parses the output of `npm view` or a compatible command to get a package manifest.
  * @param stdout The standard output of the command.
@@ -242,7 +254,10 @@ export function parseNpmLikeManifest(stdout: string, logger?: Logger): PackageMa
     let maxManifest: PackageManifest | null = null;
 
     for (const manifest of result) {
-      if (!manifest || typeof manifest.version !== 'string') {
+      if (!isValidManifest(manifest)) {
+        logger?.debug(
+          '  Skipping invalid manifest in array (missing name, version, or invalid SemVer).',
+        );
         continue;
       }
 
@@ -251,9 +266,21 @@ export function parseNpmLikeManifest(stdout: string, logger?: Logger): PackageMa
       }
     }
 
+    if (!maxManifest) {
+      logger?.debug('  No valid manifests found in the array.');
+    }
+
     return maxManifest;
   }
 
+  if (!isValidManifest(result)) {
+    logger?.debug(
+      '  Parsed JSON is not a valid manifest (missing name, version, or invalid SemVer).',
+    );
+
+    return null;
+  }
+
   return result;
 }
 
@@ -329,6 +356,14 @@ export function parseYarnClassicManifest(stdout: string, logger?: Logger): Packa
     manifest['ng-add'].save ??= false;
   }
 
+  if (!isValidManifest(manifest)) {
+    logger?.debug(
+      '  Parsed JSON is not a valid manifest (missing name, version, or invalid SemVer).',
+    );
+
+    return null;
+  }
+
   return manifest;
 }
 
diff --git a/packages/angular/cli/src/package-managers/parsers_spec.ts b/packages/angular/cli/src/package-managers/parsers_spec.ts
@@ -13,6 +13,7 @@ import {
   parseNpmLikeManifest,
   parseYarnClassicDependencies,
   parseYarnClassicError,
+  parseYarnClassicManifest,
   parseYarnModernDependencies,
 } from './parsers';
 
@@ -144,11 +145,72 @@ describe('parsers', () => {
       expect(parseNpmLikeManifest(stdout)).toEqual({ name: 'foo', version: '1.1.0' });
     });
 
+    it('should skip invalid manifests in an array', () => {
+      const stdout = JSON.stringify([
+        { name: 'foo', version: '1.0.0' },
+        { name: 'foo' }, // Missing version
+        { version: '1.2.0' }, // Missing name
+        null,
+        'invalid',
+      ]);
+      expect(parseNpmLikeManifest(stdout)).toEqual({ name: 'foo', version: '1.0.0' });
+    });
+
+    it('should return null if no valid manifests found in the array', () => {
+      const stdout = JSON.stringify([{ name: 'foo' }, { version: '1.2.0' }]);
+      expect(parseNpmLikeManifest(stdout)).toBeNull();
+    });
+
+    it('should return null for invalid single object', () => {
+      const stdout = JSON.stringify({ name: 'foo' }); // Missing version
+      expect(parseNpmLikeManifest(stdout)).toBeNull();
+    });
+
+    it('should skip manifests with invalid semver versions in an array', () => {
+      const stdout = JSON.stringify([
+        { name: 'foo', version: '1.0.0' },
+        { name: 'foo', version: 'invalid-version' },
+        { name: 'foo', version: '1.0' },
+      ]);
+      expect(parseNpmLikeManifest(stdout)).toEqual({ name: 'foo', version: '1.0.0' });
+    });
+
+    it('should return null for single object with invalid semver version', () => {
+      const stdout = JSON.stringify({ name: 'foo', version: 'invalid-version' });
+      expect(parseNpmLikeManifest(stdout)).toBeNull();
+    });
+
     it('should return null for empty stdout', () => {
       expect(parseNpmLikeManifest('')).toBeNull();
     });
   });
 
+  describe('parseYarnClassicManifest', () => {
+    it('should parse a valid manifest', () => {
+      const stdout = JSON.stringify({
+        type: 'inspect',
+        data: { name: 'foo', version: '1.0.0' },
+      });
+      expect(parseYarnClassicManifest(stdout)).toEqual({ name: 'foo', version: '1.0.0' });
+    });
+
+    it('should return null for invalid manifest', () => {
+      const stdout = JSON.stringify({
+        type: 'inspect',
+        data: { name: 'foo' },
+      });
+      expect(parseYarnClassicManifest(stdout)).toBeNull();
+    });
+
+    it('should return null if no inspect type found', () => {
+      const stdout = JSON.stringify({
+        type: 'other',
+        data: { name: 'foo', version: '1.0.0' },
+      });
+      expect(parseYarnClassicManifest(stdout)).toBeNull();
+    });
+  });
+
   describe('parseYarnClassicError', () => {
     it('should parse a 404 from verbose logs', () => {
       const stdout =
