Force NPM to skip package already installed from another source - npm

I'm trying to npm install a package from a heavily proxied Enterprise computer. One of the dependencies of this package tries to install via GitHub, which throws a 407 error.
npm ERR! /usr/bin/git ls-remote -h -t https://github.com/ethereumjs/ethereumjs-abi.git
npm ERR!
npm ERR! fatal: unable to access 'https://github.com/ethereumjs/ethereumjs-abi.git/': Received HTTP code 407 from proxy after CONNECT
I've discussed this with the team that manages these servers- even with proper proxy authentication, access to sites outside of internal registries are very uncommon as a security measure.
As an alternative, I found the package on the NPM registry, and successfully installed it using the internal mirror we have. However, it still tries to install the GitHub version as a dependency of the first package, and then the installation fails. Is there any way to prevent this? I think I've seen something about editing the package's package.json to remove the dependency, but I don't have any experience with this, so I'll only do it if it's the only option to prevent this. Thank you

Related

DevOps local npm ajv version has been deleted

We have an issue with devops upstream npm feed. We built and deployed our angular app a few month ago with no issues. We are now trying to build the project but its complaining the below error. This seems to be because the locally stored version of the upstream npm package, ajv version 6.12.6 has been deleted; due to a retention policy. We are unable to get it back, does anyone know how we get it back?
npm ERR! code E404
npm ERR! 404 Not Found - GET https://tfs.pkgs.visualstudio.com/_packaging/myproject/npm/registry/ajv/-/ajv-6.12.6.tgz - Cannot find the package 'ajv' in feed 'npm_***'
npm ERR! 404
npm ERR! 404 'ajv#https://tfs.pkgs.visualstudio.com/_packaging/myproject/npm/registry/ajv/-/ajv-6.12.6.tgz' is not in this registry.
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
The artifact view shows the below:
Update:
It would seem that there is no way to correct this! as mentioned here https://developercommunity.visualstudio.com/t/deleted-versions-of-upstream-packages-cannot-be-re/1620100
Fairly poor thought on DevOps part! So currently we are now pointing to the standard npm package url (https://registry.npmjs.org/) and not the dev ops artifact one; in order to get it to build again!
As you know, Azure DevOps feed has a immutability constraint. So there doesn't have any way to add the same version in the true sense at this moment.
Currently available methods are:
1, Create a new feed and download the package via this feed.
2, Download the package change the package info and publish to Artifact feed(As another package.)
3, Directly use the public source.
There is a suggestion ticket about this feature in official community:
Relax Azure Artifacts restriction on re-publishing versions
You can upvote this suggestion ticket and share your ideas in it.

What is the correct way of installing firebase-tools (a npm package) in NixOS/Nix?

I am watching this Udemy course on Firebase. The course is a bit dated, initially made maybe 6 years ago.
At some point the author indicates how to use firebase CLI, hence he indicates the command:
~/projects/chatlive]$ npm install -g firebase-tools
I added sudo to avoid permission problems:
~/projects/chatlive]$ sudo npm install -g firebase-tools
Unfortunately, this error message is retrieved:
npm WARN checkPermissions Missing write access to /nix/store/nm7vm9d7xbvibazz7kl7xkqgjddqgiby-nodejs-14.18.3/lib/node_modules
npm ERR! code EROFS
npm ERR! syscall access
npm ERR! path /nix/store/nm7vm9d7xbvibazz7kl7xkqgjddqgiby-nodejs-14.18.3/lib/node_modules
npm ERR! errno -30
npm ERR! rofs EROFS: read-only file system, access '/nix/store/nm7vm9d7xbvibazz7kl7xkqgjddqgiby-nodejs-14.18.3/lib/node_modules'
npm ERR! rofs Often virtualized file systems, or other file systems
npm ERR! rofs that don't support symlinks, give this error.
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2022-07-28T15_33_55_544Z-debug.log
I am using NixOS and this is my config file. Since the error message mentions the nix/store I thought it could be related.
Usually, I install things in NixOS changing my configuration.nix and doing sudo nixos-rebuild switch. But I thought it would not be necessary to do it considering npm was managing the installation.
Searching on Nix packages, I can see firebase-tools: link. Now, it seems that tweaking the config file is the way...
In situations like this, what is the best practice?
Should I force trying to install via npm (how?)? Should I go for a new generation of NixOS and a full system rebuild just because of this package?
Is there another possible path? Am I missing something?
Thanks.
If you just want to play around with firebase-tools in a development environment, create a shell.nix file in your working directory and add the following lines:
{ pkgs ? import <nixpkgs> {}}:
pkgs.mkShell {
nativeBuildInputs = [ pkgs.nodePackages.firebase-tools ];
}
Then run nix-shell to start a shell with firebase-tools included. This is considered best practice for local development environments, see https://nixos.wiki/wiki/Development_environment_with_nix-shell .
If you want to try out packages not in nixpkgs repo you should use npm and install a package locally (without -g ). See https://nixos.wiki/wiki/Node.js#Using_npm_install_-g_fails.

Can't install a scoped package I published to a npm registry in GCP

I published several npm packages to a private npm registry hosted in GCP and I can see all versions in the registry. Yet I can't download the package since the install command throws an E404.
NPM throws a generic 404 Error when trying to download the page:
npm ERR! code E404
npm ERR! 404 Not Found - GET https://europe-north1-npm.pkg.dev/[Project]/#[scope]/[packagename]/-/#[scope]/[packagename]-0.1.0.tgz
npm ERR! 404
npm ERR! 404 '#[scope]/[packagename]#https://europe-north1-npm.pkg.dev/[Project]/#[scope]/[packagename]/-/#[scope]/[packagename]-0.1.0.tgz' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
Opening the url that is tring to resolve returns this error:
{"error":"Permission \"artifactregistry.repositories.downloadArtifacts\" denied on resource \"projects/[Project]/locations/europe-north1/repositories/#[scope]\" (or it may not exist)"}
{"error":"Unmatched scope name: \"\" != \"#[scope]\""}
Additonally, I checked and my account does in fact have to downloadArtifacts role.
I can't figure out why it's unable to resolve the URL since with the same config I'm able to both publish and even run npm view the package.
I've tried creating brand new packages, specifying a version, resetting the auth token and yet for some reason I'm still unable to download packages.
If it helps, my current .npmrc file looks like this:
registry:https://registry.npmjs.org/=true
#[scope]:registry=https://europe-north1-npm.pkg.dev/[project]/[repo name]/
//europe-north1-npm.pkg.dev/[project]/[repo name]/:_authToken=[gcp auth token]
//europe-north1-npm.pkg.dev/[project]/[repo name]/:always-auth=true
//registry.npmjs.org/:_authToken=[npm auth token]
Turns out this was not a GCP specific issue, but a Yarn Berry issue when publishing to GCP.
The tarballURL that is being generated uses a truncated registry URL which is why i was getting a 404 when trying to install the package.
A fix for this was proposed here.
https://github.com/yarnpkg/berry/pull/3513
I had an error similar to this one.
I did the entire repository creation process and created a new project to test the package.
When I tried npm install my-package I got a 404 error.
After some tests I discovered that I need the .npmrc file also in the project that will consume the package. It may seem kind of obvious to some people but I didn't know.
Add the returned configuration settings to the .npmrc configuration file in your Node.js projects. This file is usually in the same directory as package.json.
Make sure that you include these settings in Node.js projects for packages that you publish as well as projects that will install dependencies from your npm repository.
Set up authentication for npm

JFrog npm install fails

In Jfrog Artifactory, I created a read only user and tried to access a remote NPM package which is part of NodeJS repository.
For example
npm install #angular/material and the package fails to download it with the following error:
The user is part of a read only group.
npm ERR! code E403
npm ERR! 403 Forbidden:#angular/material#^5.2.5
Can someone please suggest where we can I set the read permissions for the user?
This is an already existing user with which other python artifacts are successfully installed .
Even npm local repositories are installed successfully but npm remote repositories fetched from npm registry are giving errors
I found the answer myself Enabling the Upload/Cache permission in JFROG Artifactory fixed the issue.
As per the JFROG help
READ: Allows only downloading of artifacts
Upload/Cache: Allows uploading artifacts to local repository and caching artifacts from remote repositories.
Since downloading artifacts from remote needs remote caching this permission is not available for the READ permission users .

What is url for npm packages repository?

I have installed node js and npm on my windows But when I try to install npm modules(packages) using
command>>npm install -g xxxx(package name)
It doesn't get installed, and it asked me to check proxy setting. As I am working on private network, so may be it doesn't allow me to access the url from which npm packages get downloaded.
Please tell me what is url for such npm packages from where it gets downloaded so that I can ask my network provider to give access for that site.
NPM packages are downloaded from https://registry.npmjs.org unless otherwise configured.
You can get the download URL for a package with npm view, for example JQuery:
npm view jquery dist.tarball
returns: https://registry.npmjs.org/jquery/-/jquery-3.5.1.tgz
You can change the default registry with npm set registry <new url>; this is typically used in large institutions or corporations with an internal registry mirror.
All npm packages are in fact downloaded from GitHub. However, npm resolves those GitHub dependencies via https://www.npmjs.com.
For example, express https://github.com/expressjs/express is the download link.
npm install -g express (or without -g).
The system does not know the GitHub location of the express package. So it must first lookup https://www.npmjs.com to get GitHub url. Then it will clone the package.