Can't access scoped metadata from registry

[ghost]

While accessing a scoped package at https://registry.npmjs.org/@sindresorhus%2Fdf/, I see that version 1.0.1 is available. Trying to access the metadata for the 1.0.1 package, https://registry.npmjs.org/@sindresorhus%2Fdf/1.0.1, I get nothing.

However, this URL form works for non-scoped packages, https://registry.npmjs.org/pageres/1.0.1

I get '401 Unauthorized' as the HTTP status code from the npm registry.

Also, the following was in the response header: npm-notice:ERROR: you cannot fetch versions for scoped packages

This issue came to light as part of a pull request (sindresorhus/package-json#6 (comment)) against package-json.

IRC discussion: http://logs.nodejs.org/npm/2015-07-29#19:04:58.872

[othiym23]

It turns out that the fact that this route worked for so long for unscoped packages was sort of a quirk of CouchDB -- this way of accessing individual package metadata was never used by the npm CLI (at least as far as I've been able to tell), and as such wasn't ported over to the new registry architecture for use with scoped packages. In fact, it's likely that the unscoped version will stop working at some point in the near future as the npm registry team locks down access to anything not supported as part of the official interface between the CLI and the registry.

The workaround is pretty simple: fetch the entire package document, and then pick off the property versions["1.0.1"]:

% curl https://registry.npmjs.org/@sindresorhus%2Fdf | json 'versions["1.0.1"]'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4288  100  4288    0     0   3653      0  0:00:01  0:00:01 --:--:--  3652
{
  "name": "@sindresorhus/df",
  "version": "1.0.1",
  "description": "Get free disk space info from `df -kP`",
  "//": "..."
}

If you want an interface like this back / to work with scoped packages, you might want to file an issue describing your use case at https://github.com/npm/public-api/issues/new.

[rsp]

What quirk of CouchDB? It seems like a behavior that's been thought out and implemented on purpose:

https://github.com/npm/npm-registry-couchapp/blob/v2.6.10/registry/shows.js#L139-L153

It seems quite wasteful to download data for every version in the module's history if all you need is one version. For modules with two releases it may not matter that much but for other modules the difference is significant - for express it is 2kB vs 500kB, see:

time curl -s https://registry.npmjs.org/express | wc -c
time curl -s https://registry.npmjs.org/express/4.0.0 | wc -c

And it only gets worse with every new version. At some point it will be a problem if it isn't already. It's just a matter of deciding if generating and sending 500kB of unneeded data by the npm registry when the client wants to get 2kB is already unreasonable or we need to wait until it's 5MB.

See comments to PR 16 and PR 17 of package-json:
sindresorhus/package-json#16
sindresorhus/package-json#17

[ghost]

This API end-point is now documented - https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#getpackageversion

Can this issue please be re-opened to reflect that scoped packages are not supported per the API spec?

[othiym23]

This is the issue tracker for the npm CLI, which hasn't used that access pattern for the registry since before npm@1, many years ago. If you believe that the current behavior of the registry is incorrect relative to its documentation, I encourage you to open a new issue on npm/registry. However, keep in mind that the existence of /package/version routes in the registry is a legacy feature that's only used by third-party applications, and may not be a permanent part of the registry API.

[broofa]

FWIW, discussion of this issue is ongoing at https://github.com/npm/registry/issues/34