cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] npm v7 handles resolved urls in shrinkwrap files differently than v6.

Open everett1992 opened this issue 4 years ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

Some packages in the npm registry use a npm-shrinkwrap with resolved urls to other registries. For example [email protected]

$ curl -sS "$(npm info [email protected] dist.tarball)" | tar xzO package/npm-shrinkwrap.json | rg resolved | head -n 1
      "resolved": "https://registry.yarnpkg.com/@jsii/check-node/-/check-node-1.33.0.tgz#55d75cbef1c84e2012c67ab8d6de63f773be4a9b",

With npm v6 the resolved url appears to be ignored and npm uses the configured registry instead. With v7 npm makes requests to registry.yarnpkg.com. We run a private registry and network isolate our builds so requests to yarnpkg are failing.

Expected Behavior

I can understand how this is a feature, but I'm not sure it was intended. In general I think the behavior of resolved urls in lock and shrinkwraps needs to be better documented and configurable.

I'll take a pass at documentation based on this discussion

Steps To Reproduce

With npm v6 I notice that their resolved url is ignored and packages are fetched from the configured registry.

$ npm -v
6.14.13
# Without package-lock
$ rm node_modules ~/.npm/_cacache -rf
$ npm install [email protected] --verbose |& rg 'yarnpkg'
# No match

But with v7 the shrinkwrap resolved url is respected.

$ npm -v
7.21.0
$ rm node_modules ~/.npm/_cacache -rf
$ npm install [email protected] --verbose |& rg 'yarnpkg'
npm http fetch GET 200 https://registry.yarnpkg.com/y18n/-/y18n-5.0.8.tgz#7f4934d0f7ca8c56f95314939ddcd2dd91ce1d55 762ms (cache miss)
...

Environment

  • OS: Ubuntu
  • Node: 16.8.0
  • npm: 7.21.0

everett1992 avatar Sep 22 '21 17:09 everett1992

I am also seeing that this option changed between v6 and v7. Is there any way in v7, for example through a config setting, to override the resolved urls to instead use a different registry?

johndiiorio avatar Sep 23 '21 19:09 johndiiorio

I've written an RFC and pull request implementing option to ignore resolved values in lockfiles that would fix this bug.

https://github.com/npm/rfcs/pull/486 https://github.com/npm/cli/pull/4264

everett1992 avatar Mar 03 '22 18:03 everett1992