Imagine an Azure DevOps feed (MyFeed) of npm packages with two views: Local and Release. This feed has an upstream source https://registry.npmjs.org/. Two packages (#scope/a and #scope/b) are already published and they are in Local view. Both of them directly depend on prop-types package from npmjs:
"dependencies": {
"prop-types": "^15.7.2"
},
"peerDependencies": {
"react": "^16.12.0",
...
}
Packages "a" and "b" are installed, builded (Storybook, i.e.) and deployed to some test environment for review. During installation of the packages their dependency prop-types is saved from upstream to the Local view of the feed.
Let's assume that package A passes review and is promoted to #Release view. Then I try to install it into the main project, which is connected to MyFeed#Release. But installation fails, because prop-types is still in Local view:
$ npm i #scope/a
npm ERR! code E404
npm ERR! 404 Not Found - GET https://*/*/_packaging/MyFeed%40Release/npm/registry/prop-types - NotFound
npm ERR! 404
npm ERR! 404 'prop-types#^15.7.2' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of '#scope/a'
The only way to start using package "a" is to promote all it's dependencies to the same view (package "b" still installs correctly after that). But shouldn't it be done automatically? Or is there a workaround to use unpromoted (Local) upstream packages? There are could be plenty of dependencies from public packages from npmjs, which can hardly be managed manually.
Maybe I should create another feed, connected to npmjs and use it "in front" of MyFeed, like so:
npmjs <- MyUpstreamFeed (with Local view only) <- MyFeed (not directly connected to npmjs).
Related
I am getting 6 vulnerabilities after running npm audit report:
I tried a solution and overridden the vulnerable versions of a particular package with their latest versions in package.json file like this:
"overrides": {
"nth-check": "2.1.1",
"#svgr/webpack": "6.5.1",
"#svgr/plugin-svgo": "6.5.1",
"svgo": "3.0.1",
"css-select": "5.1.0"
}
Then I updated the npm packages with npm update. But it did not change the result.
Tried another solution by making a resolution object in package.json and specified specific versions of a particular package, and ran it using npx i npm-force-resolutions but it gives this error:
npm ERR! could not determine executable to run.
But I am still unable to fix the npm vulnerabilities. Please help!
You should delete both node_modules and package-lock.json before launching npm install again; this will require more time to install all dependencies, but this will override all the version that are currently installed (it will bring also minor updates in dependencies).
Also, for this vulnerability, you only need to override nth-check. You can see the changes by executing npm list nth-check with and without the override (remember to delete both node_modules and package-lock.json).
I'm trying to install some packages from Azure Artifacts Feed which was set up by my organization. I still need other external packages in https://registry.npmjs.org/. Although they have configured NPM as upstream source for feed, my 'Reader' permission doesn't allow me to add new packages. So I can only use NPM scopes to install private packages from a scope registry and public package from official registry. But I cannot install private packages simply with scope name.
I've config my user's .npmrc, get authentication using "vsts-npm-auth". It looks like this now:
# $HOME\.npmrc
proxy=http://my-enterprise-proxy.com
noproxy[]=blah-blah-blah
strict-ssl=false
registry=https://registry.npmjs.org/
#feed-scope:registry:=https://pkgs.dev.azure.com/[ORGANIZATION_NAME]/_packaging/[FEED_NAME]/npm/registry/
always-auth=true
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/_packaging/<FEED_NAME>/npm/registry/:username=[ENTER_ANY_VALUE_BUT_NOT_AN_EMPTY_STRING]
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/_packaging/<FEED_NAME>/npm/registry/:_password=[BASE64_ENCODED_PERSONAL_ACCESS_TOKEN]
//pkgs.dev.azure.com/<ORGANIZATION_NAME>/_packaging/<FEED_NAME>/npm/registry/:email=npm requires email to be set but doesn't use the value
Now I try to execute:
npm install #feed-scope/package-needed
And I get:
npm ERR! code E404
npm ERR! 404 Not Found - GET pkgs.dev.azure.com/<ORGANIZATION_NAME>/_packaging/<FEED_NAME>/npm/registry/#my-scope%2fpackage-needed - The package '#my-scope/package-needed' was not found in feed '[FEED_NAME]'
npm ERR! 404
npm ERR! 404 '#my-scope/package-needed#*' is not in this registry.
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
I've explored my org's feed, there is only a package named "package-needed". I doubt that the scope name I add to command just what the problem is. But I don't know how can I remove it.
PS: Please ignore those placeholders.
Unfortunately, that's not going to work. The scope is part of an npm package's name. You should work with the owners of your feed to get you the Collaborator role, which is the same as the Reader role plus the ability to use packages from upstreams which have not yet been saved to your feed. This is distinct from the Contributor role which also adds the ability to publish packages directly to the feed.
It's not clear from the documentation what a Verdaccio proxy is.
If I set up a proxy for #acme/foo and someone targets Verdaccio trying to publish #acme/foo how do I configure the behavior and what is the default? There are three obvious possibilities but none of them are covered in the docs,
The publish is reject
The publish is proxied.
The publish is done locally, and further requests are not proxied.
I would prefer the third option but when I try to publish to a package that is proxied I get this in npm,
npm ERR! code EPUBLISHCONFLICT
npm ERR! publish fail Cannot publish over existing version.
npm ERR! publish fail Update the 'version' field in package.json and try again.
npm ERR! publish fail
npm ERR! publish fail To automatically increment version numbers, see:
npm ERR! publish fail npm help version
npm ERR! A complete log of this run can be found in:
npm ERR! /home/ecarroll/.npm/_logs/2021-11-11T18_45_39_813Z-debug.log
The publish happens locally but only after the local Verdaccio server reaches out to the remote server and validates that there is no conflicting version.
When you are trying to publish a package#version and you have uplinks defined (by default is npmjs) it will:
Ask to the defined uplink (in case you have the proxy: npmjs in your package access`) and download the manifest if exist, if does not will just don't persist anything (jump to step 3)
Will verify if in that manifest (in case step 1 is positive) if the version already exist.
If exist, will return 409 http status (http conflict) <-- what npmjs will display is EPUBLISHCONFLICT if not, will publish the package.
Here more info: https://verdaccio.org/docs/best#override-public-packages
In a nutshell, if the package access section has proxy it will always double check with the uplink and won't allow you have duplications.
This is taken from Juan Picado on GitHub from a discussion that I opened up
I've downloaded a nodejs project from Github, edited the source to add missing functionality and now I'm trying to compile it into an executable or run it uncompiled (node main.js). In both cases I get messages that it can't find its dependencies.
This is not my normal programming language, so I'm unfamiliar with how node dependencies work.
The dependencies in questions are other node packages. I installed them with npm install -g but that didn't help.
In the package.json file they are described as follows:
"dependencies": {
"#castlelemongrab/ioh": "^0.0.4",
"#castlelemongrab/strr": "^0.0.1",
"bent": "^7.3.6",
"jsDump": "^1.1.0",
"yargs": "^15.3.1"
},
The warning messages specify the dependencies beginning with # as the ones that are missing. Although it's just a warning, the program fails to function and issues the same message when you attempt to use it, so it's effectively an error. I found this Stackoverflow post mentioning that you could define dependencies like this:
"dependencies": {
"public": "git://github.com/user/repo.git#ref",
"private": "git+ssh://git#github.com:user/repo.git#ref"
}
But that didn't seem to have any effect:
Error: Cannot find module '#castlelemongrab/ioh'
How should I resolve it? I tried going into the node_modules directory and git clone-ing the ioh library into the #castlelemongrab folder but that also led to some errors:
npm ERR! code EISGIT
npm ERR! path C:\...\node_modules\#castlelemongrab\ioh
npm ERR! git C:\...\node_modules\#castlelemongrab\ioh: Appears to be a git repo or submodule.
npm ERR! git C:\...\node_modules\#castlelemongrab\ioh
npm ERR! git Refusing to remove it. Update manually,
npm ERR! git or move it out of the way first.
Additionally, since I have the production version of this package installed on my system and I don't want to overwrite it, if I change the "name" field in package.json is that an effective and safe way to avoid conflicts?
The solution was to git clone the missing modules into node_modules and then to rm -rf the .git and .gitignore.
Figured this out by trial and error. If anyone has a more complete and informed answer, please feel free to add it.
What is the difference between installing a npm package via https and ssh? My expectation is that the downloaded package would be the same but this is not the case. For example:
// package.json
"dependencies": {
"lodash": "^4.17.19"
// vs
"lodash": "git#github.com:lodash/lodash.git#semver:^4.17.19"
}
When I use the first option, the actual npm package gets installed.
When I install via the second option, I get only the files that are whitelisted from the repo but not the actual package itself.
I don't see a good explanation in the npm documentation. Why aren't these installing the same thing? Is there a way to install the actual package via ssh and not the commit itself?
Two ways of installing dependencies.
From NPM repository itself (specify the version)
From github (specify a branch OR commit and tag)
It is advisable to publish to the registry the minified/compiled version of the library than the source unless it is necessary. So, it is possible that what you get from the NPM is different than the source repository itself.
It is really question of the "place" (npm or github) than the method (http or ssh)