The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
[Bug][API] GET scoped package w/ version fails with 401 status
What I Wanted to Do
curl https://registry.npmjs.org/@babel/core/latest should return JSON info about latest version of
curl https://registry.npmjs.org/@webassemblyjs/wasm-parser/1.7.11 should return info for
What Happened Instead
Server responds with 401 status
curl commands above
This appears to be an issue with any module that has a scoped name.
This issue previously reported (and closed without response) here.
Note, too, that the information in question is available if you omit the version. E.g.
curl https://registry.npmjs.org/@babel/core works… you just have to sift through the
versions field to fin the information you need.
If you look at the headers, you’ll notice this one:
npm-notice: ERROR: you cannot fetch versions for scoped packages
So basically, what you’re trying to do is not supported, intentionally. You need to fetch the packument or the tarball. Individual version fetches aren’t supported. If you want to make this easier, you can use
pacote to make the API call (or
const pkg = await libnpm.manifest('@babel/core@latest')
what you’re trying to do is not supported, intentionally
But why? This seems like an arbitrary and unnecessary distinction because…
- Public, scoped modules are semantically no different than unscoped modules.
- The version-specific information is available as long as you omit the version in the URL (i.e. this isn’t a security issue)
- It penalizes organizations for scoping their public modules
On that last point, it’s worth pointing that this affects several well-known module collections:
@types, to name a few.
Is this just a byproduct of how scoped packages are handled behind the scenes or something?
That’s pretty much it, yeah.
Are there any plans to fix this in the future? We’ve just moved our packages to scoped packages and we used to API to get package.json info from the latest version of packages. Because we now have scoped packages, that doesn’t work anymore.