Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-8625

Allow fetching of tarballs from incomplete NPM packages

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.11.2
    • Fix Version/s: 2.11.3
    • Component/s: NPM
    • Labels:
      None
    • Story Points:
      1
    • Sprint:
      Sprint 43

      Description

      Currently we disallow fetching of tarballs from incomplete NPM packages, where a package is considered as incomplete if it has at least one version which doesn't define a tarball distribution.

      We should instead just disallow fetching of tarballs whose specific version is incomplete, rather than ban the whole package whose versions might all be complete except for one incomplete version.

      Recreate instructions:

      • Install Nexus and add an NPM proxy repository for https://registry.npmjs.org/ and then add it to an NPM group (called npm)
      • Accessing chokidar package root should pass: curl 'http://127.0.0.1:8081/nexus/content/groups/npm/chokidar'
      • Now download the registry root: curl 'http://127.0.0.1:8081/nexus/content/groups/npm/-/all' (will take a while)
      • Accessing chokidar package root should now fail: curl 'http://127.0.0.1:8081/nexus/content/groups/npm/chokidar'
      • Accessing chokidar tarball should also fail: http://127.0.0.1:8081/nexus/content/groups/npm/chokidar/-/chokidar-0.6.3.tgz

      Original cause: the npmjs registry root declares basic version metadata for all packages, and Nexus distributes this partial metadata across the package roots when the registry root is fetched. If you then request a particular package root (say chokidar) Nexus will overlay the full package metadata with the partial metadata from the registry root. For almost all packages this means that the partial version metadata from the registry root is replaced with full version metadata from the package root. However, the chokidar and phantomjs packages each have a version listed in the registry root that doesn't appear in their package root. This leaves an incomplete version in the merged package root, which then causes nexus to fail to serve any tarballs from that package.

      Acceptance test: with this fix these last two failures are fixed.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jtom Joe Tom
              Reporter:
              mcculls Stuart McCulloch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title