Referencing a git dependency twice with different URLs can cause a race condition in npm cache

[phated]

I was referencing a dependency as ssh://git@github.com:MyOrg/MyRepo and in another place as ssh://git@github.com/MyOrg/MyRepo and it caused corruption of the package in the cache leading to install errors.

[othiym23]

There are actually three problems in caching git dependencies that this issue highlights:

1. These different Git URLs should normalize to the same representation inside the relevant cache code.
2. Placing the package tarball in $HOME/.npm/package/0.0.0/package.tgz should be done atomically.
3. There should be an inflight cache for writes to the package.tgz that disallows more than one cache write to be inflight, even without the atomic writes.

Who knows how many other weird subtleties fixing this will address.

[othiym23]

The changes necessary to fix this issue are being landed in #7008.

[othiym23]

Fixed by 1c48d08, 5423cf0, and 7f6557f, which do the three things, respectively, listed here. It's starting to look terrifyingly like Christmas!

⛄