Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24188

npm proxy to a remote with package metadata containing tarball URLs with query fragment causes 404 not found

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.9.0, 3.24.0
    • Fix Version/s: None
    • Component/s: NPM
    • Notability:
      3

      Description

      It has been reported that Artifactory instances may serve npm package metadata that contains tarball URLs of this form:

      https://example.com/jquery/-/jquery-3.5.1.tgz?dl=https%3A%2F%2Fregistry.npmjs.org%2Fjquery%2F-%2Fjquery-3.5.1.tgz
      

      When one creates an NPM proxy repository to such a remote registry serving this type of package metadata, NXRM will not properly resolve the available package versions. Valid package versions listed in the package metadata file will return 404 from NXRM.

      When the most recent available NPM CLI at the time of this report ( 6.14.5) receives such package metadata, the CLI is able to work with URLs of this form.

      Expected

      Properly locate and serve available versions of packages despite their tarball URLs containing query data.

      Workaround

      NXRM 2 is able to proxy npm packages with tarball urls with query params. One could use this type of proxying setup: NXRM 3 -> NXRM 2 -> Remote serving query data URLs

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Armin Kunkel Armin Kunkel
            Votes:
            4 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title