Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24232

npm package metadata does not get updated when a package tarball is deleted

    XMLWordPrintable

    Details

    • Story Points:
      3
    • Notability:
      3

      Description

      Reproduce

      A remote npm registry supports package tarball unpublishing. In the case where an NXRM admin wants to delete an already cached package in their proxy of that remote, the already cached package metadata does not get updated when the package is deleted.

      Simulation:

      1. Create an NPM proxy repo
      2. Download an npm package metadata
      3. Download a version tgz tarball that is referenced in the versions list inside the metadata
      4. In the Browse view, navigate to the tgz file. Delete it.
      5. The browse view refreshes with the tgz removed.
      6. Try to download the npm package metadata again. Notice that it still has reference to the now deleted version.

      The problem is an npm project may define a semantic version dependency such as this:

      ^5.0.0

      If version 5.1.0 gets unpublished at remote, and then deleted by NXRM admin, and the npm package metadata in NXRM still lists 5.1.0 as available, an npm build will fail because it will get 404 for the 5.1.0 tgz file because a) it doesn't exist are remote, and b) NXRM no longer has it either.

      Expected

      Deleting a tgz that is cached locally should also expire the npm package metadata stored locally ( override the Metadata max age for that one detached npm package metadata asset ) such that the next request for it will trigger an outbound request from NXRM to the remote. Additionally the package metadata should be marked for rebuild on which the deleted versions will be removed from the package metadata.

      When NXRM detects that the remote no longer has a reference to a version it does, AND the local package is also deleted, the NXRM package metadata should also remove that specific version reference.( NEXUS-24234 )

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Dawid Sawa Dawid Sawa
              Team:
              NXRM - Mad Max
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title