corepack
corepack copied to clipboard
nodejs
Metadata retrieval errors when using `COREPACK_NPM_REGISTRY` in combination with Sonatype Nexus
@aduh95 @arcanis
https://github.com/nodejs/corepack/pull/436 has broken COREPACK_NPM_REGISTRY in combination with Sonatype Nexus repository manager.
ARG YARN_VERSION
ARG NPM_REGISTRY_URL="https://nexus.megacorp.com/repository/npmjs-proxy/"
ENV COREPACK_NPM_REGISTRY $NPM_REGISTRY_URL
RUN npm config set registry $NPM_REGISTRY_URL \
&& npm install --global corepack@latest \
&& corepack enable \
&& corepack install --global yarn@${YARN_VERSION} \
&& yarn config set --home npmRegistryServer $NPM_REGISTRY_URL
Results in:
Installing [email protected]...
Internal Error: Server answered with HTTP 400 when performing the request to https://nexus.megacorp.com/repository/npmjs-proxy//@yarnpkg/cli-dist/4.2.1; for troubleshooting help, see https://github.com/nodejs/corepack#troubleshooting
at fetch (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:22769:11)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async fetchAsJson (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:22776:20)
at async fetchTarballURLAndSignature (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:22724:27)
at async installVersion (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:22987:52)
at async Engine.ensurePackageManager (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:23449:32)
at async InstallGlobalCommand.installFromDescriptor (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:23846:5)
at async InstallGlobalCommand.execute (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:23828:9)
at async InstallGlobalCommand.validateAndExecute (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:20954:22)
at async _Cli.run (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:21929:18)
Nexus doesn't provide metadata at the ${npmRegistryUrl}/${packageName}/${version} url.
I believe it only serves metadata at the ${npmRegistryUrl}/${packageName} url.
So this change breaks corepack for Nexus and perhaps Artifactory as well.
Had to revert to corepack 0.26.0
Update
I've found a public Nexus instance to show what I mean: Web view: https://nexus3.onap.org/#browse/browse:npm:%40yarnpkg%2Fcli-dist Artifact: https://nexus3.onap.org/repository/npm/%40yarnpkg/cli-dist/-/cli-dist-4.2.1.tgz Metadata: https://nexus3.onap.org/repository/npm/%40yarnpkg/cli-dist
There is no metadata available at https://nexus3.onap.org/repository/npm/%40yarnpkg/cli-dist/4.2.1 !
Is this reported to Sonatype as well? It seems like the incompatiblity lies on Nexus itself rather than the Corepack implementation.
Possibly a duplicate of https://github.com/nodejs/corepack/issues/498. Can you test with Corepack 0.29.x?
Sonatype changed behavior in NEXUS-42854 , mentioned in the release notes , but it doesn't seem to be a sufficient fix.
Sonatype changed behavior in NEXUS-42854 , mentioned in the release notes , but it doesn't seem to be a sufficient fix.
Indeed NXRM 3.70.0 has changed this behavior, but it is still not compatible with corepack.
https://registry.npmjs.com/@yarnpkg/cli-dist/4.3.1
{
"name": "@yarnpkg/cli-dist",
"version": "4.3.1",
"license": "BSD-2-Clause",
"_id": "@yarnpkg/[email protected]",
"bin": {
"yarn": "bin/yarn.js",
"yarnpkg": "bin/yarn.js"
},
"dist": {
"shasum": "409cdab09b1f792d4e6bad5aa687320943b0d4cc",
"tarball": "https://registry.npmjs.org/@yarnpkg/cli-dist/-/cli-dist-4.3.1.tgz",
"fileCount": 5,
"integrity": "sha512-Vpi/Nbu2SLXGRdKvuxhT0WNe3jOL/LM0Wl58yxUN9WcaQnCYyuIILNS3R35lujao1ZXoAN35d9vAsevzStDreQ==",
"signatures": [
{
"sig": "MEYCIQDXpotyvZmuMzXobmJiotkmf/yvk+2IcPLdleVWTjZHlAIhAJA1Lh0fuNvB6nRSi5GzocTWyNej/F346E7HhuUGefSD",
"keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
}
],
"unpackedSize": 2747220
},
"engines": {
"node": ">=18.12.0"
},
"_npmUser": {
"name": "yarnbot",
"email": "[email protected]"
},
"repository": {
"url": "ssh://[email protected]/yarnpkg/berry.git",
"type": "git",
"directory": "packages/yarnpkg-cli"
},
"directories": {},
"_hasShrinkwrap": false,
"_npmOperationalInternal": {
"tmp": "tmp/cli-dist_4.3.1_1718952731591_0.6413408756169847",
"host": "s3://npm-registry-packages"
}
}
https://nexus.megacorp.com/repository/npmjs-proxy/%40yarnpkg/cli-dist/4.3.1
{
"_id": "@yarnpkg/[email protected]",
"maintainers": [
{
"name": "daniel15",
"email": "[email protected]"
},
{
"name": "bestander",
"email": "[email protected]"
},
{
"name": "cpojer",
"email": "[email protected]"
},
{
"name": "arcanis",
"email": "[email protected]"
},
{
"name": "yarnbot",
"email": "[email protected]"
}
],
"license": "BSD-2-Clause",
"dist-tags": {
"v3": "3.8.3",
"latest": "4.3.1"
},
"versions": {
huge list of versions
},
"_rev": "66-3a3158dea3a016d10f8c72876b5d7be4",
"name": "@yarnpkg/cli-dist",
"time": {
"created": "2021-04-09T11:18:13.039Z",
"modified": "2024-07-25T12:13:04.535Z",
"2.4.1": "2021-04-09T11:18:13.374Z",
"3.0.0-rc.1": "2021-04-12T08:37:17.751Z",
"3.0.0-rc.2": "2021-04-12T14:54:14.320Z",
"3.0.0-rc.3": "2021-06-03T14:55:53.984Z",
"3.0.0-rc.4": "2021-06-03T15:35:43.365Z",
"2.4.2": "2021-06-03T16:01:55.314Z",
"3.0.0": "2021-07-26T16:10:51.916Z",
"3.0.1": "2021-08-22T21:01:32.655Z",
"3.0.2": "2021-09-03T12:25:05.172Z",
"3.1.0": "2021-10-25T14:57:38.351Z",
"3.1.1": "2021-11-26T13:36:24.297Z",
"3.2.0": "2022-02-21T13:04:45.372Z",
"3.2.1": "2022-05-13T10:35:13.285Z",
"3.2.2": "2022-07-21T12:52:26.715Z",
"3.2.3": "2022-08-24T18:35:28.355Z",
"3.2.4": "2022-10-05T16:44:57.592Z",
"3.3.0": "2022-11-16T09:06:30.157Z",
"3.3.1": "2022-12-20T16:05:09.449Z",
"4.0.0-rc.35": "2023-01-09T01:13:52.390Z",
"4.0.0-rc.36": "2023-01-18T16:59:29.806Z",
"4.0.0-rc.37": "2023-01-29T12:51:45.270Z",
"3.4.0": "2023-02-01T09:28:36.780Z",
"3.4.1": "2023-02-01T16:15:20.181Z",
"4.0.0-rc.38": "2023-02-04T13:11:54.127Z",
"4.0.0-rc.39": "2023-02-08T07:53:10.481Z",
"4.0.0-rc.40": "2023-03-05T16:51:01.498Z",
"3.5.0": "2023-03-16T21:30:03.314Z",
"4.0.0-rc.41": "2023-03-27T11:28:58.453Z",
"4.0.0-rc.42": "2023-03-30T07:49:51.073Z",
"3.5.1": "2023-05-01T18:58:44.561Z",
"4.0.0-rc.43": "2023-05-01T20:13:10.935Z",
"4.0.0-rc.44": "2023-05-17T14:51:46.551Z",
"3.6.0": "2023-06-01T21:15:42.274Z",
"4.0.0-rc.45": "2023-06-01T21:56:27.007Z",
"3.6.0-git.20230603.hash-45f6ecc9": "2023-06-03T17:11:27.541Z",
"3.6.0-git.20230603.hash-9645df4d": "2023-06-03T17:32:48.119Z",
"3.6.0-git.20230603.hash-3c8237cb": "2023-06-03T17:38:39.424Z",
"4.0.0-rc.46": "2023-06-22T08:20:11.007Z",
"4.0.0-rc.47": "2023-06-29T09:12:39.333Z",
"3.6.1": "2023-06-30T22:12:43.702Z",
"4.0.0-rc.48": "2023-07-02T15:01:11.596Z",
"4.0.0-rc.49": "2023-08-17T09:34:15.045Z",
"3.6.2": "2023-08-17T19:10:10.089Z",
"3.6.3": "2023-08-23T22:14:03.188Z",
"4.0.0-rc.50": "2023-08-23T22:46:04.799Z",
"4.0.0-rc.51": "2023-09-17T14:22:43.249Z",
"4.0.0-rc.52": "2023-09-29T22:02:14.739Z",
"3.6.4": "2023-10-03T22:19:02.653Z",
"4.0.0-rc.53": "2023-10-03T23:34:15.182Z",
"4.0.0": "2023-10-22T16:56:59.265Z",
"4.0.1": "2023-10-28T15:26:56.339Z",
"4.0.2": "2023-11-14T09:22:36.270Z",
"3.7.0": "2023-11-14T18:04:35.535Z",
"4.1.0": "2024-01-30T15:49:15.231Z",
"3.8.0": "2024-02-01T20:19:11.188Z",
"3.8.1": "2024-03-04T22:24:18.570Z",
"4.1.1": "2024-03-04T23:11:57.106Z",
"4.2.0": "2024-05-02T16:22:33.560Z",
"3.8.2": "2024-05-02T17:04:36.111Z",
"4.2.1": "2024-05-02T17:51:55.024Z",
"4.2.2": "2024-05-08T17:50:42.768Z",
"4.3.0": "2024-06-10T18:52:21.867Z",
"4.3.1": "2024-06-21T06:52:11.814Z",
"3.8.3": "2024-06-21T15:32:33.189Z"
},
"readme": "",
"readmeFilename": "",
"repository": {
"url": "ssh://[email protected]/yarnpkg/berry.git",
"type": "git",
"directory": "packages/yarnpkg-cli"
}
}
I've opened a support ticket at Sonatype in the hopes that they change the version-specific metadata to include a singlar version instead of a versions object containing all versions.
Yes, this is known issue, it is fixed in the upcoming 3.71.0 release, which is currently targeted to come out on August 6th.
Direct quote from Sonatype.
Yes, this is known issue, it is fixed in the upcoming 3.71.0 release, which is currently targeted to come out on August 6th.
Direct quote from Sonatype.
3.71.0 was released last week. Can anyone who has already upgraded confirm that the release fixed this issue for them?
A quick test shows that unfortunately, the issue persists. I cannot see any difference between Nexus 3.70.1 and 3.71.0. There is also no mention of the issue in the 3.71.0 release notes
I'll reopen the Sonatype support ticket.
I guess we're stuck on [email protected] for at least another couple weeks.
Update: reply from Sonatype:
I do apologize, but there appears to have been some slippage in the release schedule for this fix. It is actually marked as being released with the 3.72.0 version.
Thanks @PayBas for the update.
I'm having the mismatch hash issue (which is solved in issue 296) with [email protected], so I have to update to [email protected], and now I'm stuck with this issue.
Any suggestion to work around?
Thanks @PayBas for the update. I'm having the mismatch hash issue (which is solved in issue 296) with
[email protected], so I have to update to[email protected], and now I'm stuck with this issue. Any suggestion to work around?
As long as your CI server and all your developers use the exact same COREPACK_NPM_REGISTRY value, then the "packageManager": "yarn@..." hash should be stable.
Just replace the hash in your package.json with the one in your error message. That's how we fixed it.
Just replace the hash in your package.json with the one in your error message. That's how we fixed it.
Awesome. This works for me with [email protected]. Thank you so much!
This error regrading Sonatype Nexus reminds me of a similar issue when trying to download a package manager using Corepack, starting with Yarn:
Internal Error: Server answered with HTTP 404 when performing the request to
https://****/repository/proxy_npm_official/@yarnpkg/cli-dist/4.3.1; for troubleshooting help, see https://github.com/nodejs/corepack#troubleshooting
at fetch (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:21616:11)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async fetchAsJson (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:21623:20)
at async fetchTarballURLAndSignature (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:21571:27)
at async installVersion (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:21833:52)
at async Engine.ensurePackageManager (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:22310:32)
at async InstallGlobalCommand.installFromDescriptor (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:22707:5)
at async Promise.all (index 0)
at async InstallGlobalCommand.execute (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:22685:5)
at async InstallGlobalCommand.validateAndExecute (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:19835:22)
The issue appears as soon as we switch to Corepack 0.24.0 or later. I guess it's all related to this decision.
That's pretty strange because we don't have any install/download issues at all for packages coming from Nexus V3.66 using npm, pnpm or yarn. So Corepack does something special which leads to a 404 error instead.
Of course, you could remove the COREPACK_NPM_REGISTRY env variable so it fetches the tool from the original yarn source like before 0.24.0. But that way other package managers like pnpm can't be installed because without COREPACK_NPM_REGISTRY the original npm registry is requested, which is not available for us.
So COREPACK_NPM_REGISTRY has to be enabled or disabled depending on which package manager you are going to install? That's kind of ridiculous, isn't it? I guess that's why Corepack is still described as experimental in the NodeJS docs.
So switching back to 0.23.0 is the best and easiest solution for us so far.
3.72.0 release notes mention:
NEXUS-43608 : Requests for version-specific scoped npm metadata return the expected metadata.
This should be the fix. Haven't had the opportunity to test it yet though.
3.72.0 includes a partial fix it seems - the version-specific metadata is there...but the .dist.tarball property still points at the upstream feed URL instead of pointing back into the Nexus Repository server 🤦
3.72.0 includes a partial fix it seems - the version-specific metadata is there...but the
.dist.tarballproperty still points at the upstream feed URL instead of pointing back into the Nexus Repository server 🤦
Sigh. I'll open another ticket...
Update: Sonatype has acknowledged the issue and are tracking it under internal ticket NEXUS-44175. Whether this will result in a 3.72.1 or if we have to wait for 3.73.0 remains to be seen. It probably depends on whether the issue breaks current deployments.
Work on NEXUS-44175 has been completed. It didn't make the cut for 3.73.0, so it will be in the 3.74.0 release. That release is currently targeted to come out in the first week of November.
Guess we'll have to wait quite a while longer. 😞
https://help.sonatype.com/en/sonatype-nexus-repository-3-74-0-release-notes.html contains:
NEXUS-44175 - Requests for version-specific npm package metadata returns the correct download URL.
Haven't had time to test it yet, but with any luck this might finally solve this issues.
Update: tested 3.74.0, but there's still an issue with the tarball metadata value, so that will probably still prevent it from working (although I haven't actually tested it with corepack yet).
Created yet another support ticket.
the URL is still not correct (the @4.1.0 does not belong in the URL). I have entered defect NEXUS-45088 to have this addressed.
Update: tested 3.74.0, but there's still an issue with the
tarballmetadata value, so that will probably still prevent it from working (although I haven't actually tested it with corepack yet).
I have tested it with corepack; it doesn't work. My support ticket has also been linked to NEXUS-45088.
Apparently this issue isn't expected to be fixed until the February release at the earliest.
Pinning corepack to 0.26.0 with sonatype nexus 3.76.0-03 works in my case - maybe that helps someone 😄
https://help.sonatype.com/en/sonatype-nexus-repository-3-77-0-release-notes.html contains:
NEXUS-45088 - Requests for version-specific npm package metadata returns the correct download URL.
Initial tests seem to confirm the issue has been fixed.
It looks like the fix from sonatype works for packages with prefixes in their name e.g. @yarnpkg/cli-dist but it's still wrong for no-prefix packages e.g. pnpm.
@jackmtpt definitely worth reporting that to them. FYI npm uses the term "scoped packages" for "packages with prefixes in their names", and "unscoped packages" for "no-prefix packages" (reference: https://docs.npmjs.com/about-scopes)
Oh I already raised it on my support ticket, I just wanted to post here too in case anyone else is running into this and was wondering if sonatype's fix was in fact not a fix.