Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-8625

Allow fetching of tarballs from incomplete NPM packages


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.11.2
    • Fix Version/s: 2.11.3
    • Component/s: NPM
    • Labels:
    • Story Points:
    • Sprint:
      Sprint 43


      Currently we disallow fetching of tarballs from incomplete NPM packages, where a package is considered as incomplete if it has at least one version which doesn't define a tarball distribution.

      We should instead just disallow fetching of tarballs whose specific version is incomplete, rather than ban the whole package whose versions might all be complete except for one incomplete version.

      Recreate instructions:

      • Install Nexus and add an NPM proxy repository for https://registry.npmjs.org/ and then add it to an NPM group (called npm)
      • Accessing chokidar package root should pass: curl ''
      • Now download the registry root: curl '' (will take a while)
      • Accessing chokidar package root should now fail: curl ''
      • Accessing chokidar tarball should also fail:

      Original cause: the npmjs registry root declares basic version metadata for all packages, and Nexus distributes this partial metadata across the package roots when the registry root is fetched. If you then request a particular package root (say chokidar) Nexus will overlay the full package metadata with the partial metadata from the registry root. For almost all packages this means that the partial version metadata from the registry root is replaced with full version metadata from the package root. However, the chokidar and phantomjs packages each have a version listed in the registry root that doesn't appear in their package root. This leaves an incomplete version in the merged package root, which then causes nexus to fail to serve any tarballs from that package.

      Acceptance test: with this fix these last two failures are fixed.


          Issue Links



              jtom Joe Tom
              mcculls Stuart McCulloch
              Last Updated By:
              Peter Lynch Peter Lynch
              0 Vote for this issue
              4 Start watching this issue


                Date of First Response: