Random addition of "dl" parameter in "resolved" lockfile/shrinkwrap urls


(Jacob Page) #1

Our company uses an Artifactory repository for storing internally-published packages and as a proxy for the NPM registry. Sometimes the resolved field in lockfiles/shrinkwrap files is as expected, containing URLs for our internal repository, but occasionally they show up as something like this (line break added for clarity):

https://our.repository.com/artifactory/api/npm/some-repo/lodash/-/lodash-3.10.1.tgz
  ?dl=https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Then, from pull request to pull requests, these dl parameters constantly oscillate to being present or removed depending on which developer does an npm install , leading to a lot of pull request & commit noise.

I donโ€™t know whether this is something the NPM CLI is doing directly or if itโ€™s something happening somewhere in the interactions between the CLI, Artifactory, and the NPM registry. Does anyone know why this happens? Can we disable this behavior? And is it safe to strip this parameter as a postshrinkwrap script workaround?

(this is cross-posted on Stack Overflow if you want Fake Internet Points: https://stackoverflow.com/questions/53127140/npm-lockfiles-shrinkwrap-get-random-dl-parameter-tacked-on-to-the-resolved-u)


(system) #2

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.