Support allowInsecureProtocol

[markslater]

Setting distBaseUrl to an HTTP URL (for me, using Artifactory over HTTP as a proxy is a corporate requirement) causes a warning using Gradle 6.8.3 and gradle-node-plugin 3.0.1:

Using insecure protocols with repositories, without explicit opt-in, has been deprecated. This is scheduled to be removed in Gradle 7.0. Switch Ivy repository [etc]

Sure enough, upgrading to Gradle 7.0 causes my build to fail.

This can be rectified by exposing allowInsecureProtocol on the Ivy repository.

I'd be happy to submit a PR.

[bsautel]

Thanks for reporting this issue!

As a workaround, I suggest to set distBaseUrl to null and declare yourself the ivy repository in which you can set allowInsecureProtocol to true. Here is how to declare a Node.js ivy repository. The dependencyResolutionManagement is not mandatory, I am only talking about the ivy part that can be added to the build.gradle file.

How would you want to fix this issue? Always adding alwaysInsecureProtocol to true is simple but not very satisfying since that would block this security improvement on Gradle's side. We should probably add a flag to NodeExtension to force allowing insecure protocol?

[markslater]

Thanks for the pointer to the workaround. I can confirm that fixes the issue.

I'm happy enough to live with the workaround, but I have created PR #164 with a change to add a flag to NodeExtension that is passed through to the IvyRepository that is created, if you're interested in having this feature. Let me know what you think.

[humbinal]

When will this feature be released?

[deepy]

Coming in 3.2