Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request: remove a call to package registry #119

Closed
alexturek opened this issue Feb 7, 2020 · 2 comments · Fixed by #120
Closed

Request: remove a call to package registry #119

alexturek opened this issue Feb 7, 2020 · 2 comments · Fixed by #120
Assignees
Labels
bug Something isn't working

Comments

@alexturek
Copy link

Summary of error

2.4.2 features a (undocumented, as far as I can tell) call to the npm registry to check the version of the audit-ci package. This causes opaque errors when using a private npm registry.

Details

I recently ran into a surprising error in two different repos, both of which used audit-ci on version 2.4. These repositories are configured to use my company's private package registry, which requires authentication.

Running audit-ci in one case failed with this error

circleci@85c52d082288:~/project$ yarn test-audit
yarn run v1.21.1
$ node ./node_modules/.bin/audit-ci --config .audit-ci.json --pass-enoaudit
running general audit
{"type":"error","data":"Received invalid response from npm."}
Unexpected end of JSON input
Exiting...
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

And another proceeded just fine.

Adding --verbose to the yarn info command in this library's 2.4.2 version showed me that the last line was a 401 from our private package registry. 2.4.0 and 2.4.1 don't have that call to check the self-version of the library - it was added in this commit

Suggested fix

There's a couple of options

  1. (my preference) Remove the yarn info call and establish this package's version via lookup of its package.json's version. This would mean users don't need to have authentication configured and would avoid a network call that (I think) can be avoided with a local filesystem lookup.
  2. Mark 2.4.2 as deprecated and version bump this library to 2.5, with a note in the changelog that 2.5 requires user authentication. And maybe handle authentication errors?
@quinnturner quinnturner self-assigned this Feb 7, 2020
@quinnturner quinnturner added the bug Something isn't working label Feb 7, 2020
@quinnturner
Copy link
Member

Thank you for the detailed report! This is a priority fix.

My current thought would be to use:

const { version } = require('../package.json');

@alexturek
Copy link
Author

Makes sense to me 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants