Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NPM] Registry inferring ignores the registry resource path #6804

Closed
1 task done
yeikel opened this issue Mar 8, 2023 · 1 comment · Fixed by #7030
Closed
1 task done

[NPM] Registry inferring ignores the registry resource path #6804

yeikel opened this issue Mar 8, 2023 · 1 comment · Fixed by #7030
Labels
L: javascript:npm npm packages via npm T: bug 🐞 Something isn't working

Comments

@yeikel
Copy link
Contributor

yeikel commented Mar 8, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

npm

Package manager version

No response

Language version

6

Manifest location and content before the Dependabot update

No response

dependabot.yml content

I am using dependabot core directly

Updated dependency

No response

What you expected to see, versus what you actually saw

When a dependency is declared in a private registry such as :

"cors": {
			"version": "2.8.5",
			"resolved": "https://myRegistry/api/npm/npm/cors/-/cors-2.8.5.tgz",
			"integrity": "sha1-6sEdpRWS3Ya58G9uesKTs9+HXSk=",
			"requires": {
				"object-assign": "^4",
				"vary": "^1"
			}
		},

The registry detection detects the registry as https://myRegistry/ when it should detect the full URI https://myRegistry/api/npm/npm/

That results in 404 errors when the updater tries to query https://myRegistry/ instead of the expected https://myRegistry/api/npm/npm/

Likely offending code:

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb

Line 104 in 30f9e40

known_registries << "#{uri.scheme}://#{uri.host}" if uri.scheme && uri.host

One solution for now, is to explicitly declare the registry using .npmrc

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

{"error":"404 Not Found - GET https://myRegistry/cors"}

Smallest manifest that reproduces the issue

Run the registry detection using a private registry like this:

"cors": {
			"version": "2.8.5",
			"resolved": "https://myRegistry/api/npm/npm/cors/-/cors-2.8.5.tgz",
			"integrity": "sha1-6sEdpRWS3Ya58G9uesKTs9+HXSk=",
			"requires": {
				"object-assign": "^4",
				"vary": "^1"
			}
		}
@yeikel yeikel added the T: bug 🐞 Something isn't working label Mar 8, 2023
@yeikel yeikel changed the title [NPM] Registry inferring ignores registry URI [NPM] Registry inferring ignores registry resource path Mar 8, 2023
@yeikel yeikel changed the title [NPM] Registry inferring ignores registry resource path [NPM] Registry inferring ignores the registry resource path Mar 8, 2023
@jeffwidman jeffwidman added the L: javascript:npm npm packages via npm label Mar 8, 2023
@jeffwidman
Copy link
Member

Thanks for the detailed bug report / investigation.

I'm not super familiar with the npm ecosystem, but your explanation makes sense.

How do you suggest tweaking the extraction logic to reliably extract the correct path? 👈 might be easiest to propose as a PR actually so that we're discussing actual code...

@abdulapopoola abdulapopoola moved this to Blocked in Dependabot Mar 30, 2023
@yeikel yeikel mentioned this issue Apr 10, 2023
Merged
@github-project-automation github-project-automation bot moved this from Blocked to Done in Dependabot Apr 17, 2023
@yeikel yeikel mentioned this issue Apr 23, 2023
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: javascript:npm npm packages via npm T: bug 🐞 Something isn't working
Projects
Dependabot
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(npm): registry inferring should include the full registry path yeikel/dependabot-core
2 participants
@jeffwidman @yeikel