Merge pull request #301 from tmeire/bugfix-audit-error-reporting

rafaelfranca · web-flow · commit 7fefb0d82224 · 2025-07-08T22:52:20.000-04:00
Catch failure HTTP responses on calls to the npm registry
diff --git a/lib/importmap/npm.rb b/lib/importmap/npm.rb
@@ -76,13 +76,19 @@ def get_json(uri)
       request = Net::HTTP::Get.new(uri)
       request["Content-Type"] = "application/json"
 
-      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http|
-        http.request(request)
-      }
+      response = begin
+        Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http|
+          http.request(request)
+        }
+      rescue => error
+        raise HTTPError, "Unexpected transport error (#{error.class}: #{error.message})"
+      end
+
+      unless response.code.to_i < 300
+        raise HTTPError, "Unexpected error response #{response.code}: #{response.body}"
+      end
 
       response.body
-    rescue => error
-      raise HTTPError, "Unexpected transport error (#{error.class}: #{error.message})"
     end
 
     def find_latest_version(response)
@@ -111,6 +117,11 @@ def get_audit
       return {} if body.empty?
 
       response = post_json(uri, body)
+
+      unless response.code.to_i < 300
+        raise HTTPError, "Unexpected error response #{response.code}: #{response.body}"
+      end
+
       JSON.parse(response.body)
     end
 
diff --git a/test/npm_test.rb b/test/npm_test.rb
@@ -59,14 +59,52 @@ class Importmap::NpmTest < ActiveSupport::TestCase
     end
   end
 
-  test "failed outdated packages request with mock" do
+  test "failed outdated packages request with exception" do
     Net::HTTP.stub(:start, proc { raise "Unexpected Error" }) do
       assert_raises(Importmap::Npm::HTTPError) do
         @npm.outdated_packages
       end
     end
   end
 
+  test "failed outdated packages request with error response" do
+    client = Minitest::Mock.new
+    response = Class.new do
+      def body
+        { "message" => "Service unavailable" }.to_json
+      end
+
+      def code() "500" end
+    end.new
+
+    client.expect(:request, nil, [Net::HTTP::Get])
+
+    Net::HTTP.stub(:start, response, client) do
+      e = assert_raises(Importmap::Npm::HTTPError) do
+        @npm.outdated_packages
+      end
+
+      assert_equal "Unexpected error response 500: {\"message\":\"Service unavailable\"}", e.message
+    end
+  end
+
+  test "failed vulnerable packages with mock" do
+    response = Class.new do
+      def body
+        { "message" => "Service unavailable" }.to_json
+      end
+
+      def code() "500" end
+    end.new
+
+    @npm.stub(:post_json, response) do
+      e = assert_raises(Importmap::Npm::HTTPError) do
+        @npm.vulnerable_packages
+      end
+      assert_equal "Unexpected error response 500: {\"message\":\"Service unavailable\"}", e.message
+    end
+  end
+
   test "successful vulnerable packages with mock" do
     response = Class.new do
       def body
