search

npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.49k stars 3.17k forks source link

[BUG] port, username and password are lost from npm registry url during "reify" stage #4443

Open simllll opened 2 years ago

simllll commented 2 years ago

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

I've set up a custom npm registry with verdaccio. This registry is besides some firewall rules, only accessable with a http basic auth. Therefore my repository urls look like: http://user:pwd@somehost:someport/

If I run npm install now, it downloads all packages, and when it reaches the reify stage, it tries to load some metadata again I guess, but now it tries to donwload it from http://somehost/ <-- username, password and port are lost in the url? It's not a debug messgae fail, I also checked the network traffic.

It gets stuck on this kind of log messages: => => # npm sill tarball no local data for depd@http://somehost/depd/-/depd-1.1.2.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for @sentry/types@http://somehost/@sentry%2ftypes/-/types-6.17.4.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for @sentry/utils@http://somehost/@sentry%2futils/-/utils-6.17.4.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for @sentry/types@http://somehost/@sentry%2ftypes/-/types-6.17.4.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for @sentry/utils@http://somehost/@sentry%2futils/-/utils-6.17.4.tgz. Extracting by manifest.
=> => # npm sill tarball no local data for debug@http://somehost/debug/-/debug-2.6.9.tgz. Extracting by manifest.

Expected Behavior

It should always use the correct version of the npm registry url, and should not "modify" it.

Steps To Reproduce

  1. set up a verdaccio server on a custom port and protect it with uername and password, I guess it would be enough to host it on a custom port already, as the port is also dropped from the url (but haven't tested it)
  2. run npm install
  3. see it fails after download of packages completed, when the "reify" stage starts

Environment

simllll commented 2 years ago

maybe related https://github.com/npm/cli/issues/3284

fritzy commented 2 years ago

Can you use npm adduser with your registry and then edit your .npmrc to include always-auth=true? Please re-open if this you're still having this issue.

simllll commented 2 years ago

Hi @fritzy , thanks for coming back to me. It's not about the registry authentication, it's about the http authentication (Basic auth), and also about the network port. The issue is on the "http layer". The endpoint url is missing the port, username and password from the original url.

simllll commented 2 years ago

@fritzy please reopen this one!

nlf commented 2 years ago

@simllll can you fetch the json representing one of the packages (i.e. http://somehost/@sentry%2ftypes) and post it here? if it's not feasible to post the result in its entirety, the things i'm interested in are the _resolved and dist properties of version 6.17.4

do you have a package-lock.json already? if so, do the resolved values in your package-lock.json look correct?

balagge commented 7 months ago

Possibly related: npm repo also drops port number from the repository URL set up in package.json.

npm version 10.5.0.

swnia commented 2 months ago

This is still happening on npm install 10.7.0 and 10.8.2