dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Azure Artifacts Doesn't support the version specific endpoint for NPM Packages

Open jpinz opened this issue 2 years ago • 3 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Package ecosystem

npm

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Azure artifacts doesn't support the version specific NPM endpoint, along the lines of https://<org>.pkgs.visualstudio.com:443/_packaging/<project>/npm/registry/<package-name>/<package-version> which results in a 404 response and causes the job to fail with security_update_not_possible

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

jpinz avatar Dec 07 '23 20:12 jpinz

@jpinz You mentioned there might be a more appropriate endpoint to hit instead? What endpoint is that?

jakecoffman avatar Dec 07 '23 20:12 jakecoffman

@jpinz You mentioned there might be a more appropriate endpoint to hit instead? What endpoint is that?

in my experience, the one without the package version at the end would just be json we'd parse to get the version out of instead. The json would look like this (example for node-fetch) https://registry.npmjs.org/node-fetch which could be accessed like so: https://jqplay.org/s/4BhRQy-abp3 for node-fetch version 3.3.2.

The existence of that key would imply that the version exists, and we could access any additional metadata we would need within that object.

That object appears to be identical to the one we get from the version specific endpoint here: https://registry.npmjs.org/node-fetch/3.3.2

jpinz avatar Dec 07 '23 20:12 jpinz

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.

github-actions[bot] avatar Dec 07 '25 00:12 github-actions[bot]