Some packages have dist.tarball as http and not https


(Lars Willighagen) #42

Does --no-package-lock work (I believe that’s how Boolean flags work)?

(Guido Bouman) #43

Nope, that would completely ignore the package-lock file during install and you would end up with the most recent packages. More or less the same thing that happens when one removes the package-lock file.

(Kevin Killingsworth) #44

If anyone’s interested, I made a workaround by adding the following to my package.json scripts (same idea as above, but works on all platforms)

	     "postshrinkwrap": "replace --silent 'http://' 'https://' ./package-lock.json",

Make sure to npm install --save-dev replace

(Pablo Garcia) #45

Wow, @coderkevin! I’m so glad I had this issue 2 hours after you commented. That saved me a lot of time, thanks!

(Joseph Won) #46

Great suggestion Kevin, thank you!

(Cyril Auburtin) #47

using native find command
"postshrinkwrap": "find . -name node_modules -prune -o -name package-lock.json -exec sed -i 's/http:\/\//https:\/\//g' {} +"

(Tolga Kavukcu) #48

I want to update with a case, and ask for a workaround since it is aesthetic. If there is a functionality lose you can only conisider it as minor if there is a strict workaround.

Here is the details:

We are using nexus as a corporate repository and http protocol is disabled. So considering https support of npm we enable proxy without direct access. But due to invalid entries in npm metadata nexus cannot download tarballs, we cannot have even initial build to have package-lock.json


(Lars Willighagen) #49

(Kat Marchán) #50

Hey all, the rewrite job that was fixing this issue finished running. I recommend you fix any remaining issues you have by hand, and it should not repeat itself going forward (barring cached versions – use --prefer-online to make sure you’re not getting anything stale).

So I consider this issue resolved now. We likely won’t be making CLI-side changes related to this, so we should be all set.

(Riki Fridrich) #51

I have updated to the latest version of NPM (6.5.0), force cleaned caches and run the install command with --prefer-online. Still, some of the URLs in package lock got converted to “http” protocol.

Am I doing something wrong?

(Nicolas Henry) #52

Remove the node_modules/ folder, package-lock.json and run ‘npm install --prefer-online’ again, it worked for me.

(Kat Marchán) #53

Please remove node_modules as well (along with doing everything else).

If this continues, please tell me what specific packages you experienced this with and I’ll take a look.

(Joe Curtis) #54

should I be using this on every install now?

(Kat Marchán) #55

No, just if you’re still seeing the issue

(Riki Fridrich) #56

Doing this seems to finally work:

npm install --global npm@6.6.0-next.0
rm -rf ./node_modules
npm cache clean --force
npm install --prefer-online

Thank you.

(Preethi) #57

Is this backfilling complete? In case I’m behind a corporate firewall, will this backfill help me in downloading any component that return a http url.

(Preethi) #58

Did you get any workaround for this issue? We are in a similar situation & any inputs is greatly appreciated.

(Kat Marchán) #59

Everything is complete. Please note that npm will still download over https if your configured registry is https.

(Kat Marchán) closed #60