Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-28840

NX2: rebuild hosted npm metadata task can generate invalid version entries for some valid semantic versions

    XMLWordPrintable

    Details

    • Story Points:
      3
    • Sprint:
      NXRM Neo Sprint 17, NXRM Neo Sprint 16
    • Notability:
      2

      Description

      Problem

      The rebuild hosted npm metadata task is intended to rebuild package metadata using only the existing tgz package files on disk in storage.

      If the tgz file contains a valid package.json that has a version value that contains a "+" <build> portion as part of the version, then the resulting package level metadata will contain Two version entries instead of just one:
      1. one that include the complete semantic version string ( unexpected )
      2. one that includes the semantic version string without the build portion ( expected)

      ( see https://semver.org/#backusnaur-form-grammar-for-valid-semver-versions for what build version part is )

      Reproduce

      1. Start with a test package.json in a local dir that includes this valid semantic version 1.0.87-test.1250+43260ff:
        {
          "name": "test-package",
          "version": "1.0.87-test.1250+43260ff",
          "description": "test-package description",
          "main": "index.js",
          "scripts": {
            "test": "echo \"Error: no test specified\" && exit 1"
          },
          "author": "Barney Rubble <b@example.com> (http://barnyrubble.example.com/)",
          "keywords": [
            "special",
            "sauce"
          ],
          "license": "ISC",
          "dependencies": {
            "date-fns": "^2.12.0",
            "grunt": "^1.0.0-rc1"
          }
        }
        
      1. Have an NXRM 2 instance running at with a hosted npm repo at https://localhost:8081/nexus/content/repositories/npmjs-internal - repo version 2.14.13 was used during this test.
      2. Configure NPM CLI with. suitable credentials
      3. npm publish --registry https://localhost:8081/nexus/content/repositories/npmjs-internal
      4. Verify the package metadata retrieved from https://localhost:8081/nexus/content/repositories/npmjs-internal/test-package only contains one version listed as 1.0.87-test.1250 ( not 1.0.87-test.1250+43260ff ) - this is expected and normal, this is exactly how the official registry behaves when deploying a package there with the same version.
      5. Verify the tarball URL in the package metadata refers to this URL http://localhost:8081/nexus/content/repositories/npmjs-internal/test-package/-/test-package-1230.0.87-test.1250.tgz and that downloading it works.
      6. Now stop NXRM, and move sonatype-work/nexus/db/npm directory aside.
      7. Start NXRM and manually run a rebuild hosted npm metadata task against the npmjs-internal repo.
      8. Now download the package metadata. notice that it references 2 available versions instead of 1 now.
        "1.0.87-test.1250+43260ff"
        "1.0.87-test.1250"
        With the following tarball URLs:
        http://localhost:8081/nexus/content/repositories/npmjs-internal/test-package/-/test-package-1.0.87-test.1250.tgz
        http://localhost:8081/nexus/content/repositories/npmjs-internal/test-package/-/test-package-1.0.87-test.1250+43260ff.tgz

      Problem: http://localhost:8081/nexus/content/repositories/npmjs-internal/test-package/-/test-package-1.0.87-test.1250+43260ff.tgz will return 404 and should not be present as an available version.

       

      Migration to NXRM 3

      When this type of package metadata is migrated to NXRM 3.33.1 Postgres, the result is

      • /repository/npmjs-internal/test-package/-/test-package-1.0.87-test.1250.tgz can be downloaded from NXRM 3
      • package metadata at /repository/npmjs-internal/test-package will also list two versions being available ( garbage in and garbage out ) - which is wrong.

       

      Expected

      Rebuild metadata task should produce metadata versions available in package metadata that match how the package metadata was before it was rebuilt with the task.

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ataylor Andrew Taylor
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Eugene Bulatnikov Eugene Bulatnikov
              Team:
              NXRM - Neo
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title