[audit] pnpm projects fail to generate SBOM and audits cannot continue

[wjaspers]

Describe the bug

PNPM has an issue generating SBOM files when they become very long, as it tries to serialize a single, large blob of JSON.

Internally, jf audit calls /path/to/pnpm ls --depth Infinity --json --long to gather enough information for the bill of materials.

Unfortunately NODE_OPTIONS=--max-old-space-size=8192 doesn't do the trick, and jf audit ignores the NODE_OPTIONS flag anyway.

Current behavior

Audit dies while waiting for pnpm ls --depth Infinity --json --long.

Audit reports error code 41, which again, doesn't really describe anything.

The error log contains "Error: Invalid string length", which isn't very descriptive.

Reproduction steps

Create a relatively complex NPM project and generate a pnpm-lock.yaml with PNPM.

(Hint: We are using the aws-sdk and several packages which depend on one another).

Run jf audit on your project.

Expected behavior

Audit completes; or I can generate my own SBOM and provide it as a command line switch.

JFrog CLI version

2.85.0

Operating system type and version

Ubuntu 25.04 plucky

JFrog Artifactory version

unknown

JFrog Xray version

unknown

Related

pnpm/pnpm#9088 (comment)

pnpm ls command and json printer
https://github.com/pnpm/pnpm/blob/6b18b795b7d4e1b9c780aaf0c49c68da0502a0b2/reviewing/list/src/index.ts#L136
https://github.com/pnpm/pnpm/blob/6b18b795b7d4e1b9c780aaf0c49c68da0502a0b2/reviewing/list/src/renderJson.ts#L50

[wjaspers]

Looks like PNPM fixed the issue with printing long json dependency trees.