Affects Version/s: 3.22.1
Fix Version/s: 3.38.0
Sprint:NXRM MadMax Sprint 23, NXRM MadMax Sprint 25
A remote npm registry supports package tarball unpublishing. In the case where an NXRM admin wants to delete an already cached package in their proxy of that remote, the already cached package metadata does not get updated when the package is deleted.
1. Create an NPM proxy repo
2. Download an npm package metadata
3. Download a version tgz tarball that is referenced in the versions list inside the metadata
4. In the Browse view, navigate to the tgz file. Delete it.
5. The browse view refreshes with the tgz removed.
6. Try to download the npm package metadata again. Notice that it still has reference to the now deleted version.
The problem is an npm project may define a semantic version dependency such as this:
If version 5.1.0 gets unpublished at remote, and then deleted by NXRM admin, and the npm package metadata in NXRM still lists 5.1.0 as available, an npm build will fail because it will get 404 for the 5.1.0 tgz file because a) it doesn't exist are remote, and b) NXRM no longer has it either.
Deleting a tgz that is cached locally should also expire the npm package metadata stored locally ( override the Metadata max age for that one detached npm package metadata asset ) such that the next request for it will trigger an outbound request from NXRM to the remote. Additionally the package metadata should be marked for rebuild on which the deleted versions will be removed from the package metadata.
When NXRM detects that the remote no longer has a reference to a version it does, AND the local package is also deleted, the NXRM package metadata should also remove that specific version reference.(