Node.js 18.17.1 LTS Windows installer fails from chocolatey.org rate limit IP ban on sufficiently fast pc

Alexgopen commented 12 months ago

Details

I attempted to install Node.js LTS on my home PC today using the Windows installer. At the point where the installation installs Chocolatey and required packages, I ran into an issue where two of the packages failed due to error 429 (Too Many Requests), and upon checking chocolatey.org I was 1 hour IP banned by their Cloudflare rate limiting.

[NuGet] Error downloading 'visualstudio2019buildtools.16.11.28 : chocolatey-visualstudio.extension [1.11.0, ), dotnetfx [4.7.2, ), KB2919355 [1.0.20160915, ), KB2999226 [1.0.20161201, ), visualstudio-installer [2.0.2, )' from 'https://community.chocolatey.org/api/v2/package/visualstudio2019buildtools/16.11.28.0'. [NuGet] Response status code does not indicate success: 429 (Too Many Requests).

[NuGet] Error downloading 'visualstudio2019-workload-vctools.1.0.1 : chocolatey-visualstudio.extension [1.9.0, ), vcredist140 [14.16.27027.1, ), visualstudio-installer [2.0.1, ), visualstudio2019buildtools [16.0.0, )' from 'https://community.chocolatey.org/api/v2/package/visualstudio2019-workload-vctools/1.0.1'. [NuGet] Response status code does not indicate success: 429 (Too Many Requests).

I contacted Chocolatey's support team, who were confused by this and seemed to think I was an organization excessively sending requests, which is not the case, I am a single home user trying to install Node.js. They explained their rate limits for chocolatey.org as follows:

Package downloads/installations are rate limited at about 20 per minute per IP address;
Installing Chocolatey itself (and extensions) are rate limited at 5 per minute per IP address;

I then checked my chocolatey.log file and found that its execution ran from 2023-08-24 11:49:07,834 to 2023-08-24 11:50:07,447 which is indeed under 1 minute.

During this time, the Node.js 18.17.1 LTS Windows installer had installed Chocolatey itself, as well as many packages.

Chocolatey upgraded 17/19 packages. 2 packages failed. See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). 2023-08-24 11:50:07,426 20724 [INFO ] - 2023-08-24 11:50:07,427 20724 [WARN ] - Upgraded: 2023-08-24 11:50:07,428 20724 [INFO ] - - chocolatey-compatibility.extension v1.0.0 2023-08-24 11:50:07,428 20724 [INFO ] - - chocolatey-core.extension v1.4.0 2023-08-24 11:50:07,429 20724 [INFO ] - - chocolatey-dotnetfx.extension v1.0.1 2023-08-24 11:50:07,430 20724 [INFO ] - - chocolatey-visualstudio.extension v1.11.0 2023-08-24 11:50:07,430 20724 [INFO ] - - chocolatey-windowsupdate.extension v1.0.5 2023-08-24 11:50:07,431 20724 [INFO ] - - dotnetfx v4.8.0.20220524 2023-08-24 11:50:07,431 20724 [INFO ] - - KB2919355 v1.0.20160915 2023-08-24 11:50:07,432 20724 [INFO ] - - KB2919442 v1.0.20160915 2023-08-24 11:50:07,433 20724 [INFO ] - - KB2999226 v1.0.20181019 2023-08-24 11:50:07,433 20724 [INFO ] - - KB3033929 v1.0.5 2023-08-24 11:50:07,434 20724 [INFO ] - - KB3035131 v1.0.3 2023-08-24 11:50:07,435 20724 [INFO ] - - python v3.11.4 2023-08-24 11:50:07,435 20724 [INFO ] - - python3 v3.11.4 2023-08-24 11:50:07,437 20724 [INFO ] - - python311 v3.11.4 2023-08-24 11:50:07,438 20724 [INFO ] - - vcredist140 v14.36.32532 2023-08-24 11:50:07,438 20724 [INFO ] - - vcredist2015 v14.0.24215.20170201 2023-08-24 11:50:07,439 20724 [INFO ] - - visualstudio-installer v2.0.3 2023-08-24 11:50:07,439 20724 [INFO ] - 2023-08-24 11:50:07,440 20724 [WARN ] - Packages requiring reboot: 2023-08-24 11:50:07,441 20724 [WARN ] - - vcredist140 (exit code 3010) 2023-08-24 11:50:07,442 20724 [WARN ] - The recent package changes indicate a reboot is necessary. Please reboot at your earliest convenience. 2023-08-24 11:50:07,442 20724 [INFO ] - 2023-08-24 11:50:07,443 20724 [ERROR] - Failures 2023-08-24 11:50:07,444 20724 [ERROR] - - visualstudio2019buildtools (exited 1) - visualstudio2019buildtools not installed. An error occurred during installation: Error downloading 'visualstudio2019buildtools.16.11.28 : chocolatey-visualstudio.extension [1.11.0, ), dotnetfx [4.7.2, ), KB2919355 [1.0.20160915, ), KB2999226 [1.0.20161201, ), visualstudio-installer [2.0.2, )' from 'https://community.chocolatey.org/api/v2/package/visualstudio2019buildtools/16.11.28.0'. 2023-08-24 11:50:07,444 20724 [ERROR] - - visualstudio2019-workload-vctools (exited 1) - visualstudio2019-workload-vctools not installed. An error occurred during installation: Error downloading 'visualstudio2019-workload-vctools.1.0.1 : chocolatey-visualstudio.extension [1.9.0, ), vcredist140 [14.16.27027.1, ), visualstudio-installer [2.0.1, ), visualstudio2019buildtools [16.0.0, )' from 'https://community.chocolatey.org/api/v2/package/visualstudio2019-workload-vctools/1.0.1'. 2023-08-24 11:50:07,446 20724 [DEBUG] - Sending message 'PostRunMessage' out if there are subscribers... 2023-08-24 11:50:07,447 20724 [DEBUG] - Exiting with 3010

It seems that on a sufficiently fast internet connection and pc, the Windows installer for Node.js 18.17.1 LTS itself will run into chocolatey.org's rate limiting, resulting in an IP ban, and inability to complete installation.

In the end I had to resort to connecting to a VPN to get a different IP, and re-ran the installer to get the remaining two packages, bypassing my chocolatey.org IP ban.

The Node.js installer could probably use some waits in the install script to prevent getting rate limited, otherwise this might become a more prevalent issue going forward as PC hardware continues to get faster.

Node.js version

18.17.1 LTS

Example code

No response

Operating system

Microsoft Windows [Version 10.0.19045.3208]

Scope

Installation

Module and version

Not applicable.

preveen-stack commented 12 months ago

cc @nodejs/package-maintenance PTAL

Alexgopen commented 12 months ago

I've received new information from the Chocolatey support team: Apparently package installs were being double-counted by chocolatey.org's rate limiting, resulting in hitting the rate limit with fewer requests than usual, and receiving a 1 hour IP ban. Nonetheless, 19 packages requested by the Node.js installer is very close to their limit of 20/minute before a 1 hour IP ban. This should probably be considered for an opportunity to limit requests/minute made to chocolatey.org by the Node.js installer, otherwise adding new packages in the future could lead to exceeding their 20/minute limit if a user's PC gets through the installer in under a minute, triggering a 1 hour IP ban, and failing the install.

richardlau commented 12 months ago

You can see the exact command optionally run by the installer in https://github.com/nodejs/node/blob/v18.17.1/tools/msvs/install_tools/install_tools.bat#L55

This requests two packages

choco upgrade -y python visualstudio2019-workload-vctools

All of the other packages being installed must be dependencies of those packages in chocolatey.

ljharb commented 12 months ago

20/minute is vanishingly small ftr; in the node ecosystem you'd hit that in a second or two - and having an hour ban is highly punitive for going slightly over a limit.

cinderblock commented 4 months ago

https://github.com/nodejs/node/issues/51905

nodejs / help