help icon indicating copy to clipboard operation
help copied to clipboard
verified publisher icon nodejs

Node.js 18.17.1 LTS Windows installer fails from chocolatey.org rate limit IP ban on sufficiently fast pc

Open Alexgopen opened this issue 2 years ago • 5 comments

Details

I attempted to install Node.js LTS on my home PC today using the Windows installer. At the point where the installation installs Chocolatey and required packages, I ran into an issue where two of the packages failed due to error 429 (Too Many Requests), and upon checking chocolatey.org I was 1 hour IP banned by their Cloudflare rate limiting.

[NuGet] Error downloading 'visualstudio2019buildtools.16.11.28 : chocolatey-visualstudio.extension [1.11.0, ), dotnetfx [4.7.2, ), KB2919355 [1.0.20160915, ), KB2999226 [1.0.20161201, ), visualstudio-installer [2.0.2, )' from 'https://community.chocolatey.org/api/v2/package/visualstudio2019buildtools/16.11.28.0'. [NuGet] Response status code does not indicate success: 429 (Too Many Requests).

[NuGet] Error downloading 'visualstudio2019-workload-vctools.1.0.1 : chocolatey-visualstudio.extension [1.9.0, ), vcredist140 [14.16.27027.1, ), visualstudio-installer [2.0.1, ), visualstudio2019buildtools [16.0.0, )' from 'https://community.chocolatey.org/api/v2/package/visualstudio2019-workload-vctools/1.0.1'. [NuGet] Response status code does not indicate success: 429 (Too Many Requests).

I contacted Chocolatey's support team, who were confused by this and seemed to think I was an organization excessively sending requests, which is not the case, I am a single home user trying to install Node.js. They explained their rate limits for chocolatey.org as follows:

  • Package downloads/installations are rate limited at about 20 per minute per IP address;
  • Installing Chocolatey itself (and extensions) are rate limited at 5 per minute per IP address;

I then checked my chocolatey.log file and found that its execution ran from 2023-08-24 11:49:07,834 to 2023-08-24 11:50:07,447 which is indeed under 1 minute.

During this time, the Node.js 18.17.1 LTS Windows installer had installed Chocolatey itself, as well as many packages.

Chocolatey upgraded 17/19 packages. 2 packages failed. See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). 2023-08-24 11:50:07,426 20724 [INFO ] - 2023-08-24 11:50:07,427 20724 [WARN ] - Upgraded: 2023-08-24 11:50:07,428 20724 [INFO ] - - chocolatey-compatibility.extension v1.0.0 2023-08-24 11:50:07,428 20724 [INFO ] - - chocolatey-core.extension v1.4.0 2023-08-24 11:50:07,429 20724 [INFO ] - - chocolatey-dotnetfx.extension v1.0.1 2023-08-24 11:50:07,430 20724 [INFO ] - - chocolatey-visualstudio.extension v1.11.0 2023-08-24 11:50:07,430 20724 [INFO ] - - chocolatey-windowsupdate.extension v1.0.5 2023-08-24 11:50:07,431 20724 [INFO ] - - dotnetfx v4.8.0.20220524 2023-08-24 11:50:07,431 20724 [INFO ] - - KB2919355 v1.0.20160915 2023-08-24 11:50:07,432 20724 [INFO ] - - KB2919442 v1.0.20160915 2023-08-24 11:50:07,433 20724 [INFO ] - - KB2999226 v1.0.20181019 2023-08-24 11:50:07,433 20724 [INFO ] - - KB3033929 v1.0.5 2023-08-24 11:50:07,434 20724 [INFO ] - - KB3035131 v1.0.3 2023-08-24 11:50:07,435 20724 [INFO ] - - python v3.11.4 2023-08-24 11:50:07,435 20724 [INFO ] - - python3 v3.11.4 2023-08-24 11:50:07,437 20724 [INFO ] - - python311 v3.11.4 2023-08-24 11:50:07,438 20724 [INFO ] - - vcredist140 v14.36.32532 2023-08-24 11:50:07,438 20724 [INFO ] - - vcredist2015 v14.0.24215.20170201 2023-08-24 11:50:07,439 20724 [INFO ] - - visualstudio-installer v2.0.3 2023-08-24 11:50:07,439 20724 [INFO ] - 2023-08-24 11:50:07,440 20724 [WARN ] - Packages requiring reboot: 2023-08-24 11:50:07,441 20724 [WARN ] - - vcredist140 (exit code 3010) 2023-08-24 11:50:07,442 20724 [WARN ] - The recent package changes indicate a reboot is necessary. Please reboot at your earliest convenience. 2023-08-24 11:50:07,442 20724 [INFO ] - 2023-08-24 11:50:07,443 20724 [ERROR] - Failures 2023-08-24 11:50:07,444 20724 [ERROR] - - visualstudio2019buildtools (exited 1) - visualstudio2019buildtools not installed. An error occurred during installation: Error downloading 'visualstudio2019buildtools.16.11.28 : chocolatey-visualstudio.extension [1.11.0, ), dotnetfx [4.7.2, ), KB2919355 [1.0.20160915, ), KB2999226 [1.0.20161201, ), visualstudio-installer [2.0.2, )' from 'https://community.chocolatey.org/api/v2/package/visualstudio2019buildtools/16.11.28.0'. 2023-08-24 11:50:07,444 20724 [ERROR] - - visualstudio2019-workload-vctools (exited 1) - visualstudio2019-workload-vctools not installed. An error occurred during installation: Error downloading 'visualstudio2019-workload-vctools.1.0.1 : chocolatey-visualstudio.extension [1.9.0, ), vcredist140 [14.16.27027.1, ), visualstudio-installer [2.0.1, ), visualstudio2019buildtools [16.0.0, )' from 'https://community.chocolatey.org/api/v2/package/visualstudio2019-workload-vctools/1.0.1'. 2023-08-24 11:50:07,446 20724 [DEBUG] - Sending message 'PostRunMessage' out if there are subscribers... 2023-08-24 11:50:07,447 20724 [DEBUG] - Exiting with 3010

It seems that on a sufficiently fast internet connection and pc, the Windows installer for Node.js 18.17.1 LTS itself will run into chocolatey.org's rate limiting, resulting in an IP ban, and inability to complete installation.

In the end I had to resort to connecting to a VPN to get a different IP, and re-ran the installer to get the remaining two packages, bypassing my chocolatey.org IP ban.

The Node.js installer could probably use some waits in the install script to prevent getting rate limited, otherwise this might become a more prevalent issue going forward as PC hardware continues to get faster.

Node.js version

18.17.1 LTS

Example code

No response

Operating system

Microsoft Windows [Version 10.0.19045.3208]

Scope

Installation

Module and version

Not applicable.

Alexgopen avatar Aug 24 '23 23:08 Alexgopen

cc @nodejs/package-maintenance PTAL

preveen-stack avatar Aug 25 '23 04:08 preveen-stack

I've received new information from the Chocolatey support team: image Apparently package installs were being double-counted by chocolatey.org's rate limiting, resulting in hitting the rate limit with fewer requests than usual, and receiving a 1 hour IP ban. Nonetheless, 19 packages requested by the Node.js installer is very close to their limit of 20/minute before a 1 hour IP ban. This should probably be considered for an opportunity to limit requests/minute made to chocolatey.org by the Node.js installer, otherwise adding new packages in the future could lead to exceeding their 20/minute limit if a user's PC gets through the installer in under a minute, triggering a 1 hour IP ban, and failing the install.

Alexgopen avatar Aug 25 '23 16:08 Alexgopen

You can see the exact command optionally run by the installer in https://github.com/nodejs/node/blob/v18.17.1/tools/msvs/install_tools/install_tools.bat#L55

This requests two packages

choco upgrade -y python visualstudio2019-workload-vctools

All of the other packages being installed must be dependencies of those packages in chocolatey.

richardlau avatar Aug 25 '23 16:08 richardlau

20/minute is vanishingly small ftr; in the node ecosystem you'd hit that in a second or two - and having an hour ban is highly punitive for going slightly over a limit.

ljharb avatar Aug 25 '23 16:08 ljharb

We can fix this issue with: https://github.com/nodejs/node/issues/51905

cinderblock avatar Mar 26 '24 19:03 cinderblock

It seems there has been no activity on this issue for a while, and it is being closed in 30 days. If you believe this issue should remain open, please leave a comment. If you need further assistance or have questions, you can also search for similar issues on Stack Overflow. Make sure to look at the README file for the most updated links.

github-actions[bot] avatar Sep 23 '24 01:09 github-actions[bot]

Closed, as this is not actionable from the repo. Please refer to the issue linked by @cinderblock

avivkeller avatar Sep 24 '24 21:09 avivkeller