Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-21173

Corrupted dependencies for packages downloaded from rubygems.org

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.15.2, 3.18.1, 3.21.1, 3.35.0
    • Fix Version/s: None
    • Component/s: RubyGems
    • Labels:

      Description

      Eventually, we started facing a strange issue: some packages downloaded from rubygems.org and hosted in local repo return wrong dependencies:

      $ bundle install --path vendor/bundle
      ...
      Gem::Requirement::BadRequirementError: Illformed requirement ["PA== 2.0"]
      
      

      To reproduce I just setup fresh Nexus 3.18.1 instance, created hosted repo gem, downloaded https://rubygems.org/downloads/ruby-maven-3.0.4.1.4.gem and uploaded it to the newly hosted repo. Result:

      $ ruby -r open-uri -r pp -e 'pp Marshal.load(open("http://localhost:8081/repository/test-gems/api/v1/dependencies?gems=ruby-maven").read).select { |g| g[:number] == "3.0.4.1.4" }'
      [{:name=>"ruby-maven",
        :number=>"3.0.4.1.4",
        :platform=>"ruby",
        :dependencies=>
         [["thor", ">= 0.14.6", "PA== 2.0"], ["maven-tools", "~> 0.32.3"]]}]
      

      Note, same gem looks good on rubygems:

      [volodymyr.soloviov]~/workspace/test/ruby-deps [] $ ruby -r open-uri -r pp -e 'pp Marshal.load(open("https://rubygems.org/api/v1/dependencies?gems=ruby-maven").read).select { |g| g[:number] == "3.0.4.1.4" }'
      [{:name=>"ruby-maven",
        :number=>"3.0.4.1.4",
        :platform=>"ruby",
        :dependencies=>[["thor", "< 2.0, >= 0.14.6"], ["maven-tools", "~> 0.32.3"]]}]
      

      Is it know issue? Didn't find anything related.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            Soloviov Volodymyr Soloviov
            Last Updated By:
            Joe Tom Joe Tom
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title