Uploaded image for project: 'Dev - Nexus'
  1. Dev - Nexus
  2. NEXUS-10493

NPM tarballs proxied from registry.npmjs.org may be fetched by Nexus at registry.npmjs.com

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.13, 3.0.1
    • Fix Version/s: None
    • Component/s: NPM
    • Labels:
      None

      Description

      According to https://docs.npmjs.com/misc/registry ,

      > "The official public npm registry is at https://registry.npmjs.org/."

      However, it is currently allowable by npmjs.org to publish packages hosted at npmjs.org to contain tarball URLs in the metadata that point to alternate mirrors of the official registry, most commonly https://registry.npmjs.com/ .

      If you create a proxy repository in Nexus to registry.npmjs.org, keep in mind that Nexus follows the tarball URL in the metadata for the package you want to download and may contact .com hosts instead for this.

      If your organization proxy is only allowing traffic to .org, and blocking .com requests, then Nexus may return 404 for some tarballs and not others.

      Symptoms

      Check the metadata for the specific package version you are trying to proxy. Verify what host name the actual tarball url is pointing at is different from what the remote URL of your proxy repository is configured for.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                krobinson Kelly Robinson
                Reporter:
                plynch Peter Lynch
                Last Updated By:
                Kelly Robinson
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Date of First Response: