Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18774

allow scoped NPM package name parts that start with '.' or '_'

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.14.0
    • Fix Version/s: 3.16.0
    • Component/s: NPM
    • Story Points:
      2

      Description

      Currently, Nexus will not proxy NPM packages which begin with a leading '.' or '_'; attempting to pull these results in:

      2019-01-03 11:22:25,450-0800 WARN  [qtp799270832-391]  admin org.sonatype.nexus.repository.npm.internal.NpmHandlers - Error: GET /@angular-toolkit/utils: Status{successful=false, code=400, message='null'} - Name starts with '.' or '_': _
      utils
      java.lang.IllegalArgumentException: Name starts with '.' or '_': _utils
              at com.google.common.base.Preconditions.checkArgument(Preconditions.java:210)
              at org.sonatype.nexus.repository.npm.internal.NpmPackageId.<init>(NpmPackageId.java:63)
              at org.sonatype.nexus.repository.npm.internal.NpmHandlers.packageId(NpmHandlers.java:83)
              at org.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.getCachedContent(NpmProxyFacetImpl.java:100)
              at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.maybeGetCachedContent(ProxyFacetSupport.java:342)
              at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:218)
              at org.sonatype.nexus.repository.proxy.ProxyHandler.handle(ProxyHandler.java:50)
              ...

      This aligns with the advice provided by NPM:  https://docs.npmjs.com/files/package.json#name

      "Some rules:

      • The name must be less than or equal to 214 characters. This includes the scope for scoped packages.
      • The name can’t start with a dot or an underscore."

      Unfortunately, packages with such names exist in the NPM registry (http://registry.npmjs.org/@angular-toolkit/_utils ).  Affected customers are therefore prevented from bringing them down through Nexus.  Since the de facto naming restrictions at the NPM registry apparently allow these characters, Nexus should follow suit.

      Expected

      • unscoped package names are not allowed to start with underscore or period
      • a scope is part of the complete package name, so the non-scoped name part of a scoped package name is allowed to start with a period or a dot
      • current package name validation logic should reference the official npm validation logic

        Attachments

          Activity

            People

            Assignee:
            pkundra Parul Kundra
            Reporter:
            jkruger John Kruger
            CC:
            Marco Morado
            Last Updated By:
            Peter Lynch
            Team:
            NXRM - Cypher
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title