Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-11290

provide option to suppress merging metadata for the same npm package in different group members

    Details

    • Type: Story
    • Status: Done
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.2.0
    • Component/s: NPM
    • Story Points:
      2
    • Sprint:
      Sprint 81

      Description

      Background

      Consider a hypothetical npm package 'bezor' version 1.0.0 (with no namespace), which lives in an npm hosted repo in Nexus. Various client npm projects use this package, and the dependency version is "~1.0.0" which signifies that the latest minor point release is acceptable.

      The hosted repo is the first member of a group, which also contains a proxy for npmjs.org. One day, 'bezor' 1.0.5 shows up on npmjs.org, no relation to the hosted package. Suddenly, builds start failing as the unrelated package is pulled down.

      This is an inevitable consequence of a lack of namespacing with tilde-style dependency versioning, and it's also a blocker for a client adopting NX3 from a home-rolled npm repo.

      Acceptance

      • Administrators can set a system property that prevents npm groups from merging package metadata on a request-by-request basis.
      • This only applies to the default namespace. Namespaced components continue to have their metadata merged, regardless of the system property's value.

      If this property is set for the example, above, when a client requests metadata for package 'bezor' the client will only be shown metadata from the hosted repo. This contains 'bezor' 1.0.0 and nothing else.

      Notes
      This change won't affect the 'all' endpoint. Clients who request 'all' will still be able to see the multi-member merged metadata for a given package. We believe the exposure to this is minimal since the client doesn't use this to resolve dependencies.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jtom Joe Tom
              Reporter:
              mprescott Michael Prescott
              Last Updated By:
              Michael Prescott Michael Prescott
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title