Gradle 4 fails when ivy.xml receives 403

[tommytusj]

We're stuck with the old 2.2.4 plugin for a while and since monday the plugin has been unable to download any node distro from nodejs.org with the error:

> Could not resolve all files for configuration ':frontend:detachedConfiguration1'.                                    
   > Could not resolve org.nodejs:node:8.17.0.                                                                         
     Required by:                                                                                                      
         project :frontend                                                                                             
      > Could not resolve org.nodejs:node:8.17.0.                                                                      
         > Could not get resource 'https://nodejs.org/dist/v8.17.0/ivy.xml'.                                           
            > Could not GET 'https://nodejs.org/dist/v8.17.0/ivy.xml'. Received status code 403 from server: Forbidden

Did nodejs.org change something that somehow makes the old version of the plugin fail?

Coincidentally we also had isses with 3.5.1 on our newer applications on monday but on tuesday that worked fine again

Could not determine the dependencies of task':nodeSetup'.
> Failed to query the value of task ':nodeSetup' property 'nodeArchiveFile.
   > Could not resolve all files for configuration ':detachedConfiguration1.
      > Could not resolve org.nodejs:node:18.12.0.
        Required by:
            project :
         > Could not resolve org.nodejs:node:18.12.0.
            > Could not get resource 'https://nodejs.org/dist/v18.12.0/node-v18.12.0-linux-x64.tar.gz'.
               > Could not HEAD 'https://nodejs.org/dist/v18.12.0/node-v18.12.0-linux-x64.tar.gz'. Received status code 500 from server: Internal Server Error

I tried using requestbin as the distrBaseUrl to see what the plugin actually requests:

HEAD /v8.17.0/ivy.xml
GET/v8.17.0/ivy.xml.sha1

[UltraL0rd]

It seems that nodejs has changed the way their server responds : https://github.com/nodejs/nodejs.org/issues/5149

They are saying the problem sits with the older node-gradle versions. The plugin needs to be updated to handle 403 errors

[deepy]

I think 2.2.4 should work and most important of all it shouldn't be making requests for ivy.xml That said, having looked at the code, unless you're using Gradle 5 or newer it unfortunately has ivy.xml declared

That's a bug, that's bad, and getting an updated 2.x version is going to be awkward as a lot of things need to be updated.

As for 403 and 500 errors, the correct way to handle those as a consumer is by: failing the build because those are errors from the remote end, in the case of 500 that's an internal server error and something going wrong on their end (intermittent perhaps?) But in the case of 403, that's them (correctly) saying you don't have access to this file and that's a file we never should've requested from them. They did have some brief issues with Cloudflare on their end while reconfiguring the rules, so maybe the intermittent failures were from that?

But the short summary, this works fine on 1.5.3 and all newer versions, if you use Gradle 5 or newer

[UltraL0rd]

@deepy so in short anyone (including me) who has some older tech running gradle lower than 5 is totally and absolutely screwed. Well my weekend is going to be fun

[deepy]

@UltraL0rd Gradle 5.6.4 (the last Gradle 5 release) is almost 4 years old at this point, but yes, the almost 3 year old version of this plugin contains a bug and the upstream mirror of node.js has decided that they will only serve legitimate requests

There's a bunch of workarounds available but it sounds to me like the easiest one available to you is setting up an internal mirror for the node.js distributions, personally I've had great experience with nexus and others enjoy artifactory for this, but a normal webserver works just fine Otherwise I think using buildSrc to override specifically the setup class is the easiest

[UltraL0rd]

Yes thanks, that is my plan. I still have a version of the plugin on my local machine, I will include the lib manually

On 23 Mar 2023, at 23:00, Alex Nordlund @.***> wrote:

@UltraL0rd https://github.com/UltraL0rd Gradle 5.6.4 (the last Gradle 5 release) is almost 4 years old at this point, but yes, the almost 3 year old version of this plugin contains a bug and the upstream mirror of node.js has decided that they will only serve legitimate requests

There's a bunch of workarounds available but it sounds to me like the easiest one available to you is setting up an internal mirror for the node.js distributions, personally I've had great experience with nexus and others enjoy artifactory for this, but a normal webserver works just fine Otherwise I think using buildSrc to override specifically the setup class is the easiest

— Reply to this email directly, view it on GitHub https://github.com/node-gradle/gradle-node-plugin/issues/265#issuecomment-1481901976, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABS3J7HM25OR7QU6DGH5GDW5S2YPANCNFSM6AAAAAAWFLYM2M. You are receiving this because you were mentioned.

[tommytusj]

We're also stuck on gradle 4. Our solution is probably to just download the distros we need and put them on a web server and set the distBaseUrl property to use that and not nodejs.org

[deepy]

My recommendation would be to upgrade to at least Gradle 5 but if you can't do that, an internal mirror is the best. Especially if you use download = true on CI and can put the mirror close to CI.

But it's always a good idea to have (at least the option of) internal mirrors of software you rely on, don't want someone else's outage bringing you down

[deepy]

I'm adding wontfix for now. I am going to look into this and see how much effort it would be to release an old version, but I'm maintaining this on my own free time so no promises on when

[deepy]

I'm actually not able to reproduce the issue, it's working fine and Gradle never attemps to fetch ivy.xml :P https://scans.gradle.com/s/nqcotx6rozjxo/dependencies?focusedDependency=WzAsMCwwLFswLDAsWzBdXV0&focusedDependencyView=details&toggled=W1swXSxbMCwwXSxbMCwxXV0

Which Gradle 4 versions are you on? This works fine for me on 4.10.2 with the metadataSources { artifact() }

[deepy]

Closing this as it should work fine on everything that's 4.5 or newer and if you're on something older than 4.5 you need to upgrade. Ideally to 4.10.3