artifact urls for scoped package format doesn't play nicely with yarn --offline

[moon-stripe]

Describe the bug
A clear and concise description of what the bug is.

verdaccio returns artifact urls for scoped packages that look like this:
https://{verdaccio-url}/@babel%2fcode-frame/-/code-frame-7.0.0.tgz#06e2ab19bdb535385559aabb5ba59729482800f8

as opposed to in public registry:

https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.0.0.tgz#06e2ab19bdb535385559aabb5ba59729482800f8

i.e. basically identical except verdaccio url encodes the scope/package as @babel%2fcode-frame instead of @babel/code-frame

But yarn's regex for finding packages in its offline cache don't work with this: https://github.com/yarnpkg/yarn/blob/master/src/fetchers/tarball-fetcher.js#L21

To Reproduce
Steps to reproduce the behavior:

1. yarn add a scoped package
2. follow steps here to populate offline mirror

Expected behavior
Offline mirror should have all the scoped packages.

Is there a reason why verdaccio url encodes the / there?

[moon-stripe]

I found https://github.com/verdaccio/verdaccio/blob/master/src/api/middleware.js#L73

I assume this is to avoid writing extra routes for scoped packages, but if that's the only concern, would you accept a PR to remove that middleware and add the extra routes necessary to preserve the /?

[juanpicado]

@moon-stripe, to be honest, this was done even before me as a contributor, so I'd need to find out the reason of the encoded URL first. Other question might be how pnpm or npm are handling this?

[moon-stripe]

@juanpicado afaict, npm doesn't have an equivalent offline mode. I'm not sure how pnpm's offline mode interacts. But in general, it seems best to mimc upstream npm behavior as closely as possible so as to not behaviors such as yarn's offline caching.

[juanpicado]

Is there a reason why verdaccio url encodes the / there?

Perhaps, that's legacy code. So, first, we need to know why is encoded and whether either yarn or use owns the bug.

[juanpicado]

FYI:
rlidwka/sinopia#104 (comment)
rlidwka/sinopia#275

[moon-stripe]

@juanpicado Interesting, thanks for those links! Reading through the thread and looking at the commits, it looks like it was simply the most expedient way to support scoped packages? And it seems to have caused issues with using an nginx proxy, which required some special-casing.

[juanpicado]

Exactly, so, what I'm not sure is whether that still required or not, we have some examples with NGINX https://github.com/verdaccio/docker-examples/tree/master/reverse_proxy/nginx and should be easy to try.

[DanielRuf]

cc @zkochan what would you recommend?

[zkochan]

I think it would be better if Verdaccio would use the same URL format as the npmjs.org. But pnpm works fine with the encoded URL format. pnpm normalizes the URL before saving it to the cache.

EDIT:

pnpm uses this package to parse a npm tarball URL. And here's the test for this specific case.

[DanielRuf]

Only yarn seems to have an issue with this.
So should we better open an issue for yarn?

[juanpicado]

@DanielRuf @zkochan I think he is aware https://twitter.com/arcanis/status/1131121028573388801

[juanpicado]

I think this can be closed yarnpkg/yarn@b8af7e0
yarnpkg/yarn#7499
@moon-stripe please try again or :-) just tell me so I can close this ticket.