Open spaceemotion opened 1 month ago
rschristian
commented
1 month ago The NPM registry has misconfigured CORS for error responses for nearly a year which means I can't actually distinguish a network error from a 404. I've sent a few emails to them but there seems to be no one willing to get that corrected anytime soon.
For now, the onus will be on uploaders to correctly limit the packages they feed into the tool.
spaceemotion
commented
1 month ago Ah, that is unfortunate. Is there a way to skip the package in question in case the request fails;? Does deptree always need every dependency, even if it can't be reached?
rschristian
commented
1 month ago Skipping dependencies due to unknown errors (be it 404 or network errors) would result in unpredictability -- you'd have absolutely no idea if you're looking at your full dep tree or not.
Once NPM addresses their CORS issue I can better address the 404-flow, but until then, my hands are tied.
rschristian
commented
1 month ago It looks like NPM has now fixed CORS for bare packages (non-existent) but namespaced packages (@non/existent) are still a no-go. Will follow up w/ them to see if they can get this across the line finally.
Edit: I've also revised the error messages a bit, message should hopefully be clearer at least.
Edit 2: NPM engineering has re-confirmed the bug, and re-added it to their todo list, but it's not a priority so who knows when they'll get to it.
I wanted to run our package list through DepTree and had to remove packages within our monorepo workspace (makes sense that they don't exist), as well as the FontAwesome Pro and TipTap Pro licensed packages (since they require a different package registry).
I guess the best way would be to just exclude packages that cannot be found from the tree? Right now it errors out with a "failed to fetch" message.