search

zkat / pacote

programmatic npm package and metadata downloader (moved!)
https://github.com/npm/pacote
MIT License
280 stars 62 forks source link

Unable to add local tarballs with sha1 integrity #162

Open yorickvP opened 6 years ago

yorickvP commented 6 years ago

For some offline thing, I want to add a set of tarballs to the npm cache. However, some of the tarballs only have a sha1 integrity in the package-lock.json, so will fail to fetch.

pacote.tarball("ajv-keywords@3.2.0", {
  cache: "./cache-test",
  offline: true,
  resolved: 'file:ajv-keywords-3.2.0.tgz',
  integrity: "sha1-6GuBnGAs+IIa1jdBNpjx3sAhhHo="
}).then(console.log)

The current approach will be to rewrite the package-lock into sha512.

zkat commented 6 years ago

Ahh, yeah, so, this is a two-part thing:

  1. The resolved: 'file:... format is not meant to warm up a cache. Quite the opposite: it's supposed to bypass caches.
  2. The correct incantation would then be pacote.tarball('file:ajv-keywords-3.2.0.tgz', {...}).
  3. That still doesn't do what you want because we don't pass an algorithms option to cacache, when slurping the file into the local cache.

So if this is still a thing you're interested in, I would totally take a PR that passes in either opts.algorithms or calculates which algorithms to pass in automatically based on opts.integrity, if present. Or, a combination of both.

yorickvP commented 6 years ago

The thing using resolved was only an example. npm cache add does something similar, and it is made to warm up a cache.

My real issue is that that npm command doesn't do what's expected, but it turned out to be way faster to use pacote directly. We're currently rewriting the npm lockfile to sha512 and it seems to be working, but ugly.