NPM: fix GitHub registry not working when path is specified #7468
Conversation
npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb
Outdated
Show resolved
Hide resolved
|
Does this fallback actually work for any private registry? It feels that this should be returning just a host, not a URI dependent on each particular dependency, which is what's locked in the lockfile 🤔 |
|
@deivid-rodriguez great question, it seems like it wouldn't work! Should it just return |
|
That was my idea, yes. Looking into this more, I think this PR may shed some light, and might have actually introduced this bug 😬. Apparently when there's no Until #7030, this inferred file included just the host, but that PR changed that because apparently some registries need the user/org after the host (like gemfury). Turns out GitHub registry works the opposite way? 😞 So, I guess we need to special case the fallback regarding GitHub vs other private registries (for GitHub use just the host, for others use also the path up until the dependency name like in #7030). Also, since there's a fallback in place here to use the lockfile URL, I'm not sure we even need to infer a |
|
I actually rolled the code back to early march trying to bisect it and it still has this issue, so I don't think it was a recent change. |
|
I'll save this for tomorrow to deploy to give folks more time to think about it... also it's the end of my day 🙂 |
|
Did you try a case without a Keeping digging, even if this variable is called |
| @@ -121,8 +121,9 @@ def locked_registry | |||
| known_registries. | |||
| find { |h| h["registry"].include?(lockfile_registry) }&. | |||
There was a problem hiding this comment.
Should we try to find known registries using only the host first?
There was a problem hiding this comment.
My intuition is that this lockfile_registry variable should be holding the proper registry url already (just host, or host plus some path depending on the type of private registry). The fact that's holding a full path to a dependency in this case I believe it may be a bug in the file parser, specific to GitHub private registries. But that's just me guessing...
|
Looks like @deivid-rodriguez is right, there's even a test for this case: dependabot-core/npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser_spec.rb Lines 241 to 254 in de36c26 Unclear why it doesn't work sometimes, still investigating, but I think the fix will be here in the FileParser. |
|
Looks like this is the source of the regression: #6306 |
|
I added back the dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb Lines 283 to 286 in b0b0dc7 |
jakecoffman
deleted the
jakecoffman/fix-npm-not-working-when-path-specified
branch
We noticed quite a few users put the path in their private registry configuration for GitHub Packages (
url: npm.pkg.github.com/my-org) which causes Dependabot to fallback to using theresolvedline as the registry URL. This doesn't work however, because the GItHub registry has a special/downloadURL it uses.To correct that, I've added a special case for the GitHub registry where it will return just the host instead of the extra path. I tested this with the Dependabot CLI and it seems to fix the issue 🎉