fix(arborist): allow-remote exemption for proxy/mirror-fronted registry tarballs#9550
Open
manzoorwanijk wants to merge 1 commit into
Open
Conversation
Contributor
Author
|
@owlstronaut @JamieMagee this change might require some careful review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With
allow-remote=none(the default on npm 12) orallow-remote=root, anpm installfails withEALLOWREMOTEon ordinary registry dependencies when the configured registry origin differs from the lockfileresolvedorigin.This is the common proxy/mirror case: a committed
package-lock.jsonwhoseresolvedURLs point tohttps://registry.npmjs.org/..., while the machine (or CI) is configured to use a private registry proxy/mirror with a different origin.It affects both the hoisted and the linked install strategy.
Why
When extracting a registry-resolved package, reify hands pacote a
name@URLspec, which pacote re-parses astype=remoteand gates with allow-remote.To avoid mis-firing on registry tarballs,
#isRegistryResolvedTarballexempts them — but it compared the raw lockfileresolvedURL against the configured registry origin.With a proxy/mirror configured,
resolvedis the canonicalregistry.npmjs.orgURL while the configured registry is the proxy, so the origins never matched, the exemption returnedfalse, and the registry tarball was rejected as remote.Crucially, reify already fetches a different URL than the raw
resolved:#registryResolvedappliesreplace-registry-host(defaultnpmjs), rewriting theregistry.npmjs.orghost to the configured registry while preserving the path.So npm fetches the tarball from the proxy correctly; only the allow-remote check was evaluating the wrong (pre-rewrite) URL.
How
Evaluate the effective URL npm actually fetches, not the raw lockfile value.
#isRegistryResolvedTarballnow parsesthis.#registryResolved(node.resolved)— the host-rewritten URL — before the same origin + registry-path-prefix comparison.After rewriting, a public-registry-pinned tarball resolves to the configured registry and is correctly recognized as registry-mediated.
The existing security boundary is preserved: under the default
replace-registry-host, a same-origin tarball pointing outside the registry path is not rewritten and is still rejected, and a genuinely URL-declared dependency still fails thenode.isRegistryDependencyguard.Under
replace-registry-host=always, every tarball is routed through the configured registry, so registry dependencies are no longer treated as remote — consistent with whatalwaysmeans.References
Fixes #9548