npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Got the old problem of npm install changing packages from https to http

What I Wanted to Do

Tried to run “npm install” to check that no new packages was needed. I just did this a few minutes ago and expected it to say that everything was up to date.

What Happened Instead

I got a lot of changes in package-lock.json that changed packages from https to http.
One example:
@@ -5027,7 +5027,7 @@
“gulp”: {
“version”: “3.9.1”,

It looks like the same problem as this

Reproduction Steps

Not sure how to go back in time but this is a copy of our package.json

Just run “npm install” with that and see if it chooses http instead of https for some packages. We know they are old, it is an internal tool.


Platform Info

$ npm --versions
{ 'some-portal': '1.0.0',
  npm: '6.10.3',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.3',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }

$ node -p process.platform

I tried reproducing, but my install using your package.json has 1260 uses of https:// in the new package-lock.json, and zero uses of http://.

(npm 6.10.3 and on macOS.)

We know they are old, it is an internal tool.

There are an entertaining variety of deprecation messages. :slight_smile:

We managed to reproduce it on other computers, both Windows and Mac. One difference may be that we had an earlier version before but that shouldn’t really matter.

I have of course wiped my whole node cache and removed the folder node_modules before trying again but the same thing still happened on my machine.

I was looking a bit more into the history of the package.json and package-lock.json and noticed that some rows/packages had “http://” before my current update. Those rows seem to have been changed in January 2019 when the old issue might still have been a problem. The strange thing is that npm-cli now seems to change some more packages to “http://”.

I created a gist with the old package-lock.json including the old http-links. Maybe it is reproduceable if one starts with this and does “npm ci” first and then runs “npm install”?