[CRITICAL] npmjs inconsistently returns 404 for HEAD requests

[mohammadtibi]

Hello npm team,

In the past couple of days Artifactory users are running into a blocking issue, due to npmjs returning 404 for HEAD requests for some endpoints for unclear reason.

For example:

If we run:

$ curl -XHEAD "https://registry.npmjs.org/@angular%2fcli" -I

HTTP/2 404 date: Wed, 06 Jun 2018 11:30:03 GMT content-type: application/json content-length: 21 set-cookie: __cfduid=d0bf88341e559bdd97b7d48669e7310781528284602; expires=Thu, 06-Jun-19 11:30:02 GMT; path=/; domain=.registry.npmjs.org; HttpOnly cf-cache-status: EXPIRED cf-ray: 426a8b6a9858ad75-TLV expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary: Accept-Encoding server: cloudflare

As you may see we got a 404 for the HEAD request. If we run the same command few hours later, it may return 200 and few hours later 404 once again. There is some unclear inconsistency.

For example the below REST API call

$ curl -XHEAD "https://registry.npmjs.org/@pnp%2fodata" -I

HTTP/2 200 date: Wed, 06 Jun 2018 11:33:13 GMT content-type: application/json; charset=UTF-8 content-length: 52354 set-cookie: __cfduid=ddd0917685a4416dade8382bcba3ce5491528284792; expires=Thu, 06-Jun-19 11:33:12 GMT; path=/; domain=.registry.npmjs.org; HttpOnly accept-ranges: bytes cache-control: public, max-age=14400 cf-cache-status: HIT cf-ray: 426a900fbdf2ad93-TLV etag: "9d8bcef6c06777eb076a8de06d691e8a" expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" last-modified: Tue, 29 May 2018 11:10:37 GMT vary: Accept-Encoding server: cloudflare

Returns 200, one hour ago, it returned 404.

Just as a side note, GET requests seem to work, the issue seem to be only with HEAD requests.

We guess that the issue might be related to the CDN nodes the request reaches which causing the HEAD requests to fail. Seems like when the cf-cache-status header is set to HIT we get 200 And when the cf-cache-status header is set to EXPIRED or MIS we get 404

This is a blocking issue, please look into it as soon as possible. This is a change in behaviour.

It was opened here originally: https://github.com/npm/npm/issues/20914

Looking forward to your response.

[drazisil]

Possibly related to https://github.com/npm/registry/issues/349 ?

[arielkv]

@drazisil I'm not sure it's related, as the only symptoms we see is that HEAD requests for packages are answered intermittently with 404. Which is causing in lots of issues for Artifactory users worldwide.

[joelebeau9]

We are also seeing this issue

[Pablodotnet]

Having this issue too, I have some time now that I can't run npm install or yarn install, I'm always getting

Error: Couldn't find package "ANY PACKAGE" required by "ANY PACKAGE" on the "npm" registry.

I'm having this issue since two days ago, happening with random packages so is not problem of any of my installed packages.

I'm not using Artifactory.

[joelebeau9]

https://jfrog.com/knowledge-base/why-am-i-getting-404-for-some-npm-packages/

[akarasik]

Are there any updates regarding this issue? We are experiencing the same issue using Artifactory.

[notsudo]

We were also hit by this. In our testing, it seems to be only scoped npm packages (@scoped/package) that are affected.

[dvh]

Same here!

[ajzawawi]

Do we have any updates regarding this issue? It's a major blocker on Artifactory that requires a complete upgrade - which is usually not a quick change for many organizations.

[jvivs]

We're also using artifactory (internal packages and local cache) and experiencing this issue. 👍 for addressing.

[AClavijo]

Same issue too. Resolved by enable the "Bypass HEAD Requests".

[alexkrautmann]

Same issue for me. Does anyone know the downsides of enabling "Bypass HEAD Requests" in Artifactory?

[felix-hoc]

FYI, the Bypass HEAD Requests option is only available in Artifactory 5.5.2 or later.

[scottrus]

This is still an issue for me. The scoped package @storybook/node-logger would not install unless we enabled the bypass HEAD requests. The logs show npmjs.org is returning a 404 for what appears to be a good request.

[mohammadtibi]

@alexkrautmann There is nothing you should worry about when bypassing HEAD requests, if anything it even may improve the performance.