cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] port, username and password are lost from npm registry url during "reify" stage

Open simllll opened this issue 3 years ago • 8 comments
trafficstars

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

I've set up a custom npm registry with verdaccio. This registry is besides some firewall rules, only accessable with a http basic auth. Therefore my repository urls look like: http://user:pwd@somehost:someport/

If I run npm install now, it downloads all packages, and when it reaches the reify stage, it tries to load some metadata again I guess, but now it tries to donwload it from http://somehost/ <-- username, password and port are lost in the url? It's not a debug messgae fail, I also checked the network traffic.

It gets stuck on this kind of log messages: => => # npm sill tarball no local data for depd@http://somehost/depd/-/depd-1.1.2.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for @sentry/types@http://somehost/@sentry%2ftypes/-/types-6.17.4.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for @sentry/utils@http://somehost/@sentry%2futils/-/utils-6.17.4.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for @sentry/types@http://somehost/@sentry%2ftypes/-/types-6.17.4.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for @sentry/utils@http://somehost/@sentry%2futils/-/utils-6.17.4.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for debug@http://somehost/debug/-/debug-2.6.9.tgz. Extracting by manifest.

Expected Behavior

It should always use the correct version of the npm registry url, and should not "modify" it.

Steps To Reproduce

  1. set up a verdaccio server on a custom port and protect it with uername and password, I guess it would be enough to host it on a custom port already, as the port is also dropped from the url (but haven't tested it)
  2. run npm install
  3. see it fails after download of packages completed, when the "reify" stage starts

Environment

  • npm: 8.5.1 (tried also 8.4.0 and 8.5.0 )
  • Node.js: v16.11.0
  • OS Name: linux

simllll avatar Feb 19 '22 13:02 simllll

maybe related https://github.com/npm/cli/issues/3284

simllll avatar Feb 21 '22 20:02 simllll

Can you use npm adduser with your registry and then edit your .npmrc to include always-auth=true? Please re-open if this you're still having this issue.

fritzy avatar Feb 24 '22 20:02 fritzy

Hi @fritzy , thanks for coming back to me. It's not about the registry authentication, it's about the http authentication (Basic auth), and also about the network port. The issue is on the "http layer". The endpoint url is missing the port, username and password from the original url.

simllll avatar Feb 24 '22 21:02 simllll

@fritzy please reopen this one!

simllll avatar Feb 25 '22 15:02 simllll

@simllll can you fetch the json representing one of the packages (i.e. http://somehost/@sentry%2ftypes) and post it here? if it's not feasible to post the result in its entirety, the things i'm interested in are the _resolved and dist properties of version 6.17.4

do you have a package-lock.json already? if so, do the resolved values in your package-lock.json look correct?

nlf avatar Mar 07 '22 21:03 nlf

Possibly related: npm repo also drops port number from the repository URL set up in package.json.

npm version 10.5.0.

balagge avatar Mar 28 '24 13:03 balagge

This is still happening on npm install 10.7.0 and 10.8.2

swnia avatar Sep 13 '24 07:09 swnia