Would be great to have this option to use npm audit. ProGet is used in a corporate environment, where security is a pretty high priority, so not having npm audit
working is kind of a deal-breaker, IMO.
Maxim Mazurok
@maxim_mazurok
Best posts made by maxim_mazurok
Latest posts made by maxim_mazurok
-
RE: NPM Audit
-
RE: NPM package version not available: unsupported archive type
This is what fixed the issue:
After pulling the package last week, I deleted it and re-pulled just now
-
RE: NPM package version not available: unsupported archive type
Is this a cached package from a connector or did you upload this package directly?
It is a cached package from a connector, we didn't upload this package directly.
Has this version always been a problem or is this new?
This has worked before, as it was added to the lock file with the correct resolved URL and correct SHA, so I believe it's a new issue.
Our guys have fixed the issue somehow, I'll let you know the details of the fix once I have them. Thanks!
-
NPM package version not available: unsupported archive type
ProGet Version 5.2.18 (Build 2)
User getting error:
npm WARN tarball tarball data for node-ipc@http://proget.wtg.zone/npm/Registry/node-ipc/-/node-ipc-9.1.3.tgz (sha512-8RS4RZyS/KMKKYG8mrje+cLxwATe9dBCuOiqKFSWND4oOuKytfuKCiR9yinvhoXF/nGdX/WnbywaUee+9U87zA==) seems to be corrupted. Trying again. npm WARN tarball tarball data for node-ipc@http://proget.wtg.zone/npm/Registry/node-ipc/-/node-ipc-9.1.3.tgz (sha512-8RS4RZyS/KMKKYG8mrje+cLxwATe9dBCuOiqKFSWND4oOuKytfuKCiR9yinvhoXF/nGdX/WnbywaUee+9U87zA==) seems to be corrupted. Trying again. npm ERR! code EINTEGRITY npm ERR! sha512-8RS4RZyS/KMKKYG8mrje+cLxwATe9dBCuOiqKFSWND4oOuKytfuKCiR9yinvhoXF/nGdX/WnbywaUee+9U87zA== integrity checksum failed when using sha512: wanted sha512-8RS4RZyS/KMKKYG8mrje+cLxwATe9dBCuOiqKFSWND4oOuKytfuKCiR9yinvhoXF/nGdX/WnbywaUee+9U87zA== but got sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==. (0 bytes)
http://proget.wtg.zone/feeds/Registry/node-ipc/9.1.2 - exists
http://proget.wtg.zone/feeds/Registry/node-ipc/9.1.3 - doesn't exist, returns 404
http://proget.wtg.zone/feeds/Registry/node-ipc/9.1.4 - existsThe SHA that we're getting is for an empty file. I tried to download http://proget.wtg.zone/npm/Registry/node-ipc/-/node-ipc-9.1.3.tgz manually and it's empty: 0 bytes. So the local cache is not the issue.
Workarounds:
- update the package to any other version
- use npmjs.com registry (https://registry.npmjs.org/node-ipc/-/node-ipc-9.1.3.tgz works and matches sha)
Also, guys in charge of our ProGet install confirmed that this is an internal ProGet error:
System.InvalidOperationException: unsupported archive type at Inedo.ProGet.WebApplication.SimpleHandlers.PackageFiles.InedoArchiveFactory.Open(Stream stream)
-
RE: NPM Connector returns plus "+" in versions
- It's not really easy workaround since I'm not the admin of ProGet in my organization. Also, what will happen to the updates of that package? Will I have to reupload every new version?
- It breaks compatibility with original npm, meaning that I can't use the same package.json file with both ProGet registry and npmjs.
- If there's a concern about unknown regressions, it can be solved by issuing major release with release notes. Alternatively, you can support both variants by leaving both "x.x.x+x.x.x" and "x.x.x" in the resulting JSON output.
The being said, I've analyzed all 1 240 000+ packages in our ProGet and @hot-loader/react-dom indeed seems to be the only one with "+" in the version field.
Also, I've performed the same check for all packages in npmjs repo, and none of them reported "+" in the version (as expected).
Now, because it's confirmed to be the only package with "+" sign in the version - I think it's reasonable to open an issue in their repo.
-
RE: NPM Connector returns plus "+" in versions
@atripp I'm not owner of this package so I personally can't republish, I can only open issue/PR and ask them not to use this build metadata approach. Wich will make no sense, because it's completely legal and handled appropriately by npmjs server and npm client.
What do you mean when you say that it works with older/newer npm client? It doesn't work for me, using latest npm client. I'm getting error that package with that version could not be found (when using ProGet repository) and it obviously works fine when I use default npmjs repository.
So, don't you think that ProGet should act like npmjs? If npm doesn't work with ProGet in this case, what kind of regression could be possible after the fix? I only can see positive outcome, unless some folks already use build metadata in thiers package.json
-
RE: NPM Connector returns plus "+" in versions
@atripp It is the only package that causes us problems.
This "+" is used to specify related package version, as seen here: https://github.com/hot-loader/react-dom/blob/d33208f02ebef963cdd3e91980b6d2a588588409/auto-publish/utils.js#L234
4.12.12
is coming from the package.json: https://unpkg.com/@hot-loader/react-dom@16.13.0/package.jsonI wish we had access to npmjs to see if they are parsing semver and then returning only
<version core>
from:<valid semver> ::= <version core> | <version core> "-" <pre-release> | <version core> "+" <build> | <version core> "-" <pre-release> "+" <build>
Could we do something similar in ProGet?
-
NPM Connector returns plus "+" in versions
When trying to install
@hot-loader/react-dom@16.13.0
from our proget npm registry, I'm getting error:@hot-loader/react-dom: No matching version found for @hot-loader/react-dom@16.13.0
Installing it from npmjs registry works.
When comparing two responses, I can see that our registry reports version with a plus sign in the middle, and I think that's why
npm/cli
don't understand that it should use this version:- http://proget.wtg.zone/npm/Registry/@hot-loader/react-dom/
"versions": {"16.13.0+4.12.20": ...
- https://registry.npmjs.org/@hot-loader/react-dom/
"versions": ... {"16.13.0": ...
I'm using Proget
Version 5.2.18 (Build 2)
Does to look like a Proget / NPM Connector bug?
Where should I report it?
Is there anything I can do to fix it?Thanks!
- http://proget.wtg.zone/npm/Registry/@hot-loader/react-dom/