Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-33917

npm group repository does not return correct latest version

    Details

    • Notability:
      2
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      SYMPTOM:

      After publishing a newer version into NPM hosted repository, a NPM group repository, which has this NPM hosted repository as a member, does not show this newly published version in the "latest" tag.

      REPRODUCE STEPS:

      1. Install NXRM 3.40.1 with H2 (starting Nexus with "nexus.datastore.enabled=true")
      2. Create npm-hosted, npm-proxy, npm-group repositories
      3. Publish some dummy package:
        export _NEXUS_URL='http://localhost:8081/'
        cat << EOF > ./package.json
        {
          "name": "lodash-vulnerable",
          "version": "1.0.0",
          "description": "",
          "main": "index.js",
          "scripts": {
            "test": "echo \"Error: no test specified\" && exit 1"
          },
          "keywords": [],
          "author": "",
          "dependencies" : {
            "lodash": "4.17.4"
          },
          "license": "ISC",
          "publishConfig":{"registry":"${_NEXUS_URL%/}/repository/npm-hosted/"}
        }
        EOF
        
        npm publish --registry "${_NEXUS_URL%/}/repository/npm-hosted/" -ddd
        
      4. Confirm npm-hosted and npm-group both show "1.0.0"
        curl -s "${_NEXUS_URL%/}/repository/npm-hosted/lodash-vulnerable" | python -m json.tool | grep '"latest"'
        curl -s "${_NEXUS_URL%/}/repository/npm-group/lodash-vulnerable" | python -m json.tool | grep '"latest"'
        
      5. Publish newer version
        sed -i.bak 's/"version": "1.0.0"/"version": "1.1.0"/' ./package.json
        npm publish --registry "${_NEXUS_URL%/}/repository/npm-hosted/" -ddd
        
      6. Again, check the latest versions for npm-hosted and npm-group with curl

      EXPECTED BEHAVIOUR

      By using above repro steps, the "npm-group" should show 1.1.0.

      ACTUAL BEHAVIOUR:

      The npm-group repo shows 1.0.0.
      NOTE: 3.38.0 returns expected 1.1.0.

      WORKAROUND:

      Click [ Invalidate cache ] from the npm-group repository config page.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              glee Grace Lee
              Reporter:
              hosako Hajime Osako
              CC:
              Piotr Jaromin
              Last Updated By:
              Joe Tom Joe Tom
              Owner:
              Grace Lee Grace Lee
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title