Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Package Latest Version not showing in All Versions
-
Hi Support,
We often have an issue showing up for a npm feed. The feed is a public cache feed of https://registry.npmjs.org with metadata caching enabled. What is happening is that on the feed when searching the package, it is showing the latest version.
When selecting that version, we get the following error.
Also, we cannot see the latest package when looking at All Versions.
This issue fixes itself over time. However, for example, this package is updated hourly, consumed as a dependency, and causes intermittent build issues in our CD/CI.
Regards Scott
-
Hi @scott-wright_8356 ,
This is unfortunately the consequence/downside with frequently-updated packages (like 2-3x daily updates of electron-to-chromium) and metadata caching.
The underlying issue is that different metadata queries have different cache expirations, so the search queries (e.g. "electron-" or "electron-to" or "chromium", etc) will not line up with index queries (e.g. "list electron-to-chromium versions"). There is no solution to this, aside from changing durations or disabling caching.
In general, we very strongly advise against developers "always using the latest version of packages they see", since that's a major attack vector for software supply chains. It also makes build reproducibility basically impossible and gives testing a headache. Instead, we encourage a package approval process where only approved packages are consumable by build servers, as opposed to whatever's the latest version on the net
Best,
Alana
