400s coming back from registry on npm audit

cli
registry

(Josh Clow) #1

I’ve been digging into why some, but not all, of our projects at work bomb out on npm audit with a 400 coming back from registry.npmjs.org and want to see if anyone thinks this makes sense:

  1. We have a private fork of draft-js saved out on S3, so that’s a tarball dependency in the associated projects
  2. Elsewhere, we have a package (call it @company/our-package that has a registry dependency on draft-js, but it’s just for *
  3. In the projects that fail, both these things are involved

What I think is happening is that the private fork of draft-js is satisfying the * for the package in 2). Which is all well and good for npm install, but it gets problematic when audit tries to obfuscate private data. In that case, what ends up going into the JSON that’s gzipped and then POSTed to the registry has a bit like this, which explicitly references “draft-js”:

 "dependencies": {
        "@textio/our-package": {
            "version": "3.0.2",
            "integrity": "sha1-blahblahblah",
            "requires": {
                "draft-js": "*",
                ...
            }
        },

But further down in the JSON, the actual “draft-js” dependency listing has a name/version that’s gone through scrub (in lib/install/audit.js) and so is now an obfuscated name that doesn’t say “draft-js” in it anywhere. I think this mismatch is what’s causing it to blow up and come back as a 400. This hypothesis is backed up somewhat by the fact that if I hand-edit the JSON to either include a reference to “draft-js” (as if I were using a registry dependency) or remove the requires line that’s got “draft-js: *”, then I get a 200 and an audit report.

Does this seem plausible?


Npm audit returns Bad Request (error 400) for GitHub dependencies which are required by other dependencies - draft-js example
(Kat Marchán) #2

This does seem plausible, and @nlf agrees that this is likely being caused by the obfuscation.

If you could, do you think you could put together a minimal repro for this and file a formal bug in #bugs? Having that would be super helpful.


(Josh Clow) #3

Yep yep! I’ll try to get a reduced repro up today. Thanks!


(Kat Marchán) #4

Thanks a bunch! I’ll keep an eye out for it. That will be so helpful. :smiley:


(system) #6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.