Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-21611

npm proxy repository can rewrite metadata with incorrect "latest" value.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.19.1
    • Fix Version/s: None
    • Component/s: NPM
    • Labels:
    • Notability:
      2

      Description

      When an npm proxy repository rewrites metadata it seems to set the "latest" dist-tag to the highest semantic version, rather than the "latest" seen on the proxy's remote.

      Reproduce steps:

      1. Create a hosted npm repository with 'allow redeploy', and a proxy of that repository
      2. Publish 3 versions of a package to the hosted npm repository. I used versions 0.0.1, 0.0.2, and 0.0.3, published in that order
      3. Fetch the package metadata and all three package tarballs through the proxy.
      4. Verify that the proxy's metadata has 0.0.3 set as the latest
      5. Republish version 0.0.2 and delete version 0.0.3 in the hosted repository.

      This left me with versions 0.0.2 and 0.0.3 in the hosted repository, with 0.0.2 as the latest.

      I expired cache on the proxy, and refetched the metadata.

      Version 0.0.3 is seen as the latest in the proxy.

      I have attached a complete sonatype-work directory from a 3.19.1 instance that has the hosted and proxy repositories in this state.

      Workaround

      Delete the cached package from the proxy repository to force the proxy package metadata to be rebuilt from scratch. Using the UI is one way to do that.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              moncef Moncef Ben-Soula
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Hajime Osako Hajime Osako
              Team:
              NXRM - Neo
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title