npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm install downgrading resolved packages from https to http registry in package-lock.json

What I Wanted to Do

npm install to generate a fresh package-lock.json with https urls only.

What Happened Instead

Some packages have their resolved field pointing to the http registry.

Reproduction Steps

mkdir httptest
cd httptest
npm init -y
# Some packages that were resolved to http registry on a project
npm install babel-plugin-syntax-object-rest-spread buffer@4.9.1 chalk@1.1.3 external-editor@2.2.0 minimist mkdirp
# Just a control package to show it is not for all packages
npm install lodash
# Display http urls
cat package-lock.json | grep 'http://'
# Display https ones just for control
cat package-lock.json | grep 'https://'

I get the following output:

Wrote to /home/sam/Code/httptest/package.json:

  "name": "httptest",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  "keywords": [],
  "author": "",
  "license": "ISC"

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN httptest@1.0.0 No description
npm WARN httptest@1.0.0 No repository field.

+ babel-plugin-syntax-object-rest-spread@6.13.0
+ mkdirp@0.5.1
+ minimist@1.2.0
+ external-editor@2.2.0
+ buffer@4.9.1
+ chalk@1.1.3
added 21 packages in 0.953s
npm WARN httptest@1.0.0 No description
npm WARN httptest@1.0.0 No repository field.

+ lodash@4.17.10
added 1 package in 0.517s
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
          "resolved": "",

      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",
      "resolved": "",


It seems to happen with specific packages, specific versions (thus I specified some version above), and after a specific point in time. I recently created a fresh package-lock.json in a project, and the exact same version of those packages were resolved to the https registry at that time (using same node and npm version, and using same package.json).

Platform Info

$ npm --versions
{ httptest: '1.0.0',
  npm: '5.6.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.4',
  openssl: '1.0.2p',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }

$ node -p process.platform

But I was also able to replicate with latest node 10.9.0 and npm 6.2.0 and npm 6.4.1.

we’re seeing the same on various combinations of node and npm, any pointers here would be appreciated.

There’s a similar issue opened on GitHub since a while (20 mar):

Some people had the problem solved by performing the steps described in (not me anyway)

It would be definitely nice to have an update on this.

For those looking to workaround it, I’ve been simply replacing the URLs after an npm install that creates/updates the package-lock (and running npm i again) and haven’t experienced issues so far:

sed -i -e 's/http:\/\//https:\/\//g' package-lock.json

But indeed this behavior is odd, creates security concerns, and seems somehow related to the registry and not to the npm CLI itself.

The same issue has been plaguing my projects as well. This is a security issue and should be considered critical in terms of bug priority.

I have been seeing the same behavior.

I faced the same issue today. I can confirm that after performing the steps listed in that comment, package-lock.json didn’t have any changes.

Just for future reference, I am pasting the steps as listed in the comment

$ rm -rf node_modules/
$ npm cache clean --force
(Revert the changes in your package-lock.json file)
$ npm i

I tweeted about this issue after noticing it the other day:

npm cache clean --force and a fresh install does not fix the issue.

Searching around, I noticed this is a duplicated: Some packages have dist.tarball as http and not https

Indeed this is an issue with the registry itself and applies to any npm CLI version.

Maybe unrelated, but I also noticed the registry responds with diff content-types for diff packages:

$ curl --silent --head | grep -i content-type
content-type: application/octet-stream

$ curl --silent --head | grep -i content-type
content-type: application/json

So maybe it is a faulty instance behind a load balancer the source of trouble.

PD: Just saw @nexdrew just linked this thread there.

I tried this with NPM v6.4.1 and it’s still an issue. I work around it by just doing a grep replace http: to https:. Strangely when I re-run an npm install, it still tried to change a random(?) package’s URL from https back to http. In my case, it was Bluebird.

I’m having same problem.

$ npm --version

It is weird that different versions of a package appear to switch between http and https:

> npm view react-scripts@* dist.tarball
react-scripts@0.0.0 ''
react-scripts@0.1.0 ''
react-scripts@0.2.0 ''
react-scripts@0.2.1 ''
react-scripts@0.2.2 ''
react-scripts@0.2.3 ''
react-scripts@0.3.0 ''
react-scripts@0.3.1 ''
react-scripts@0.4.0 ''
react-scripts@0.4.1 ''
react-scripts@0.4.2 ''
react-scripts@0.4.3 ''
react-scripts@0.5.0 ''
react-scripts@0.5.1 ''
react-scripts@0.6.0 ''
react-scripts@0.6.1 ''
react-scripts@0.7.0 ''
react-scripts@0.8.0 ''
react-scripts@0.8.1 ''
react-scripts@0.8.2 ''
react-scripts@0.8.3 ''
react-scripts@0.8.4 ''
react-scripts@0.8.5 ''
react-scripts@0.9.0 ''
react-scripts@0.9.1 ''
react-scripts@0.9.2 ''
react-scripts@0.9.3 ''
react-scripts@0.9.4 ''
react-scripts@0.9.5 ''
react-scripts@1.0.0 ''
react-scripts@1.0.1 ''
react-scripts@1.0.2 ''
react-scripts@1.0.3 ''
react-scripts@1.0.4 ''
react-scripts@1.0.5 ''
react-scripts@1.0.6 ''
react-scripts@1.0.7 ''
react-scripts@1.0.8 ''
react-scripts@1.0.9 ''
react-scripts@1.0.10 ''
react-scripts@1.0.11 ''
react-scripts@1.0.12 ''
react-scripts@1.0.13 ''
react-scripts@1.0.14 ''
react-scripts@1.0.15 ''
react-scripts@1.0.16 ''
react-scripts@1.0.17 ''
react-scripts@1.1.0 ''
react-scripts@1.1.1 ''
react-scripts@1.1.2 ''
react-scripts@1.1.3 ''
react-scripts@1.1.4 ''
react-scripts@1.1.5 ''
react-scripts@2.0.0 ''
react-scripts@2.0.1 ''
react-scripts@2.0.2 ''

Seeing the same thing, and finding it very concerning.

Same thing happened to me.

I just deleted my node_modules folder then did a fresh install - and thankfully that fixed it.

npm -v

Same here, but the fix didn’t work for me :(
npm 6.4.1

This is a duplicate of Some packages have dist.tarball as http and not https. For future reference, please note that you can safely sed -i this back to https until it’s resolved, since it’s a registry-side issue.