Insecure tarball URI when publishing package to registry

[Vrtak-CZ]

Hello is there any reason for this?

npm-registry-client/lib/publish.js

Line 98 in 690d62c

.replace(/^https:\/\//, 'http://')

our infrastructure with private npm registry running only on secure TLS (HTTPS) connection. So when we try download package it returns error because NPM/Yarn tries download it from insecure URL (because metadata is "deformed" by this code).

[iarna]

I don't honestly know why this is in there, I presume it's for backwards compatibility with some third party registry. The npm registry products appear to ignore that entirely. You may want to speak with your registry vendor about getting closer compatibility with production npm behavior.