tarball url must follow package.json

Question

tarball url must follow package.json

GongT opened this issue 8 years ago · 6 comments

GongT commented 8 years ago

router path of tarball is '/:scope?/:name/-/:scope2?/:filename/:sha'

But there is no document about this.

In fact, some npm cdn do not use this uri ( they modified package file )

example: http://registry.npm.taobao.org/

Answer 1 · 2016-11-29T19:40:21.000Z

I'm not following. What's the problem?

Answer 2 · 2016-11-30T04:35:36.000Z

tarballs router
r.get('/:scope?/:name/-/:scope2?/:filename/:sha', function * () {
This consider npm(cli) will try to download tarball from url looks like: /@types/node/-/@types/node-x.y.z/xxxxxxxxxx.tgz

But in fact, npm will download tarball from anywhere defined by package.versions['x.y.z'].dist.tarball

No documented rule about package.versions['x.y.z'].dist.tarball, and some unofficial npm cdn will modify package json.

eg: http://registry.npm.taobao.org/@types%2Fnode

{
  "versions": {
    "0.0.1": {
      "dist": {
        "shasum": "d90a4d3bf1fe8f961edf0f76f34a7a6df79580be",
        "size": 28040,
        "noattachment": false,
        tarball: "http://registry.npm.taobao.org/@types/node/download/@types/node-0.0.1.tgz"
      },
    }
  }
}

the packages router will rewriteTarballURLs this url to http://127.0.0.1:45678/@types/node/download/@types/node-0.0.1.tgz

Then npm will fail to download http://127.0.0.1:45678/@types/node/download/@types/node-0.0.1.tgz with a 404.

Answer 3 · 2018-08-31T22:28:19.000Z

@GongT is this still an issue for you?

Answer 4 · 2018-09-01T08:30:24.000Z

I'm using sinopia now...
But looks like lib/routes/tarballs.js is still using wrong path.

Answer 5 · 2018-09-01T12:00:47.000Z

Ok thanks. I think I understand this now, but could you clarify a little more? I believe this is only an issue if the package doesn't exist in npm-register and it gets passed through to npm with the wrong URL. What are the other use cases? Thanks!

Answer 6 · 2018-09-01T19:42:41.000Z

Sorry for my English first.

npm -A-> npm-register -B-> upstream(npm.org)

The issue happen at A.

you can compare same debug package on two different registry:
china mirror: https://registry.npm.taobao.org/debug
original npm: https://registry.npmjs.org/debug

look at tarball:
china mirror: "http://registry.npm.taobao.org/debug/download/debug-3.1.0.tgz"
original npm: "https://registry.npmjs.org/debug/-/debug-0.1.0.tgz"

npm-register's router is waiting for npm to request /debug/-/debug-0.1.0.tgz.
But if the upstream is set to https://registry.npm.taobao.org/ , npm client will make request to "http://npm-register/debug/download/debug-3.1.0.tgz", then npm client got 404 error.