Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tarball url must follow package.json #53

Open
GongT opened this issue Nov 29, 2016 · 6 comments
Open

tarball url must follow package.json #53

GongT opened this issue Nov 29, 2016 · 6 comments
Labels
bug help wanted

Comments

@GongT
Copy link

GongT commented Nov 29, 2016
edited
Loading

router path of tarball is '/:scope?/:name/-/:scope2?/:filename/:sha'

But there is no document about this.

In fact, some npm cdn do not use this uri ( they modified package file )

example: http://registry.npm.taobao.org/
@jdx
Copy link
Owner

jdx commented Nov 29, 2016

I'm not following. What's the problem?

@GongT
Copy link
Author

GongT commented Nov 30, 2016

tarballs router
r.get('/:scope?/:name/-/:scope2?/:filename/:sha', function * () {
This consider npm(cli) will try to download tarball from url looks like: /@types/node/-/@types/node-x.y.z/xxxxxxxxxx.tgz

But in fact, npm will download tarball from anywhere defined by package.versions['x.y.z'].dist.tarball

No documented rule about package.versions['x.y.z'].dist.tarball, and some unofficial npm cdn will modify package json.

eg: http://registry.npm.taobao.org/@types%2Fnode

{
  "versions": {
    "0.0.1": {
      "dist": {
        "shasum": "d90a4d3bf1fe8f961edf0f76f34a7a6df79580be",
        "size": 28040,
        "noattachment": false,
        tarball: "http://registry.npm.taobao.org/@types/node/download/@types/node-0.0.1.tgz"
      },
    }
  }
}

the packages router will rewriteTarballURLs this url to http://127.0.0.1:45678/@types/node/download/@types/node-0.0.1.tgz

Then npm will fail to download http://127.0.0.1:45678/@types/node/download/@types/node-0.0.1.tgz with a 404.

@dgautsch dgautsch added the bug label Oct 14, 2017
@dgautsch
Copy link
Collaborator

@GongT is this still an issue for you?

@GongT
Copy link
Author

GongT commented Sep 1, 2018

I'm using sinopia now...
But looks like lib/routes/tarballs.js is still using wrong path.

@dgautsch
Copy link
Collaborator

dgautsch commented Sep 1, 2018

Ok thanks. I think I understand this now, but could you clarify a little more? I believe this is only an issue if the package doesn't exist in npm-register and it gets passed through to npm with the wrong URL. What are the other use cases? Thanks!

@GongT
Copy link
Author

GongT commented Sep 1, 2018

Sorry for my English first.

npm -A-> npm-register -B-> upstream(npm.org)

The issue happen at A.

you can compare same debug package on two different registry:
china mirror: https://registry.npm.taobao.org/debug
original npm: https://registry.npmjs.org/debug

look at tarball:
china mirror: "http://registry.npm.taobao.org/debug/download/debug-3.1.0.tgz"
original npm: "https://registry.npmjs.org/debug/-/debug-0.1.0.tgz"

npm-register's router is waiting for npm to request /debug/-/debug-0.1.0.tgz.
But if the upstream is set to https://registry.npm.taobao.org/ , npm client will make request to "http://npm-register/debug/download/debug-3.1.0.tgz", then npm client got 404 error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dgautsch @jdx @GongT