fix: use registry.npmjs.com to fix shinkwrap resolves (#16607)

npm treats registry.npmjs.org as a special value that means 'the current configured package' in package-lock and npm-shrinkwrap. npm will request aws-cdk's dependencies from yarnpkg instead of from the installers configured registry because aws-cdk's shrinkwrap uses yarnpkg. This behavior seems new to [npm v7]. It causes issues for us because we run our builds with a isolated network and a private registry. [npm v7]: npm/cli#3783 This commit changes the registry from yarnpkg to npmjs. I updated yarn.lock with sed. ``` sed 's|https://registry.yarnpkg.com|https://registry.npmjs.org|' yarn.lock -i ``` Alternatively we could modify the yarn-cling tool to replace the registry. [registry.yarnpkg.com is a cname for registry.npmjs.org](https://yarnpkg.com/getting-started/qa#why-registryyarnpkgcom-does-facebook-track-us) so changing to registry.npmjs.org shouldn't affect available packages or performance. ``` dig registry.yarnpkg.com | rg CNAME registry.yarnpkg.com. 300 IN CNAME yarn.npmjs.org ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 13, 2021 · 8f91531 · 8f91531
1 parent 831638e
commit 8f91531
Show file tree

Hide file tree

Showing 2 changed files with 1,319 additions and 1,311 deletions.
diff --git a/.yarnrc b/.yarnrc
@@ -1 +1,9 @@
 --install.check-files     true      # install will verify file tree of packages for consistency
+
+# Use the npm registry instead of yarns mirror.
+# npm treats registry.npmjs.org as a special value that means 'the current
+# configured package' in package-lock and npm-shrinkwrap.  if we use
+# registry.yarnpkg.com in our shrinkwrap then users with a custom registry will
+# be forced to registry.yarnpkg.com.
+# https://github.com/npm/cli/issues/3783
+registry "https://registry.npmjs.org"