Update to version 3.16.1 triggered a java.lang.StackOverflowError when trying to fetch the metadata of a NPM dependency, with our repository configuration.
- npm-all = group
- npm-registry: http://registry.npmjs.org/
- npm-other-org: http://<upstream repository from a different org of the company>/
Repositories in the group are defined in the order above. The first thing I found out is that the list is processed in reverse order: https://github.com/sonatype/nexus-public/blob/master/plugins/nexus-repository-npm/src/main/java/org/sonatype/nexus/repository/npm/internal/NpmGroupFacet.java#L261
This seems to behaves agains what is documented here: https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-3%3A-creating-and-managing-repository-groups
After some debugging, I found that the "author" field was filled with a self-reference to the whole metadata in a NestedAttributesMap object.
From npm-other-org, the "author" field was defined as the following:
from npm-registry, the "author" field is defined as the following:
Both formats are valid according to https://docs.npmjs.com/files/package.json#people-fields-author-contributors
The recursive object structure can be reproduced with NpmMergeObjectMapperTest with the attached patch over 3.16.1 source.