NPM Registry Endpoint Response Lacks Package Dependency Metadata; Breaks NPM (#11867) · Issues · GitLab.org / GitLab

NPM Registry Endpoint Response Lacks Package Dependency Metadata; Breaks NPM

Summary

The response exposed by the GitLab NPM Registry API endpoint (https://gitlab.com/api/v4/packages/npm/@my-group%2fmy-project) lacks metadata JSON keys from package.json. Specifically lack of dependencies, devDependencies, etc. causes npm install @my-gitlab-group/my-package to fail dependency resolution on the FIRST npm install. Subsequent npm install commands appear to parse the package.json extracted from the tarball of the initial npm install.

Steps to reproduce

Create a root GitLab.com group (meaning gitlab.com/your-group-here)
Create a project/repository under that group: gitlab.com/your-group-here/your-project-here
Be sure NPM Registry is accessible (feature is enabled for all on GitLab.com but requires >= Gold plan for access to the feature)
Create your package with at least one dependency: npm init && npm install --keep mkdirp
Following the GitLab NPM Registry documentation directions, npm publish your package to your GitLab project's registry
Include your project's package as a dependency in some test package.json OR run npm install @your-group-here/your-project-here
Examine package-lock.json noting that for your project's package name, only version, resolved and integrity keys exist!
Run npm install a second time while the package-lock.json still exists and note this time the dependencies, devDependencies, etc. are all populated!

Example Project

I couldn't find a public GitLab project with a NPM registry to show as an example. We only have private packages in our organization/group otherwise I would create an example one there for reference from this issue.

What is the current bug behavior?

npm install for a GitLab NPM registry hosted package fails on a fresh install (no package-lock.json)!

What is the expected correct behavior?

npm install should work on a fresh install.

Relevant logs and/or screenshots

My speculation is that npm install needs additional metadata in the HTTP response from the NPM registry for initial installs to traverse dependencies and install those.

If you compare the response of the GitLab NPM registry endpoint: https://gitlab.com/api/v4/packages/npm/@my-group%2fmy-project to the official NPM registry (using package mkdirp as an example): https://registry.npmjs.org/mkdirp

Note the plethora of additional metadata included in the response. Specifically: under a given version number key, GitLab appears to ONLY include name, version, dist (and even then, dist only contains shasum and tarball).

If you want to examine the response JSON version key structure more closely and have curl and jq installed, try: curl -s https://registry.npmjs.org/mkdirp | jq '.versions."0.5.1"'

Specifically, I believe npm install is looking for dependencies, devDependencies, etc. in the response to also install those in the same atomic npm install command. Without that metadata, a second npm install is required on a fresh install until package-lock.json exits.

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

This bug happens on GitLab.com

Results of GitLab application Check

This bug happens on GitLab.com

Possible fixes

A possible workaround right now is simply to execute the install twice: npm install && npm install. Pretty lame and not acceptable or scalable to our entire team, CI pipelines, etc. from my organization's perspective. 📉

<!---
Please read this!

Before opening a new issue, make sure to search for keywords in the issues
filtered by the "regression" or "bug" label.

For the Community Edition issue tracker:

- https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name%5B%5D=regression
- https://gitlab.com/gitlab-org/gitlab-ce/issues?label_name%5B%5D=bug

For the Enterprise Edition issue tracker:

- https://gitlab.com/gitlab-org/gitlab-ee/issues?label_name%5B%5D=regression
- https://gitlab.com/gitlab-org/gitlab-ee/issues?label_name%5B%5D=bug

and verify the issue you're about to submit isn't a duplicate.
--->

### Summary

The response exposed by the GitLab NPM Registry API endpoint (https://gitlab.com/api/v4/packages/npm/@my-group%2fmy-project) lacks metadata JSON keys from package.json. Specifically lack of dependencies, devDependencies, etc. causes `npm install @my-gitlab-group/my-package` to fail dependency resolution on the FIRST `npm install`. Subsequent `npm install` commands appear to parse the `package.json` extracted from the tarball of the initial `npm install`.

### Steps to reproduce

1. Create a _root_ GitLab.com group (meaning `gitlab.com/your-group-here`)
2. Create a project/repository under that group: `gitlab.com/your-group-here/your-project-here`
3. Be sure NPM Registry is accessible (feature is _enabled_ for all on GitLab.com but requires >= Gold plan for _access_ to the feature)
4. Create your package with at least one dependency: `npm init && npm install --keep mkdirp`
5. Following the [GitLab NPM Registry](https://docs.gitlab.com/ee/user/project/packages/npm_registry.html) documentation directions, `npm publish` your package to your GitLab project's registry
6. Include your project's package as a dependency in some test package.json OR run `npm install @your-group-here/your-project-here`
7. Examine `package-lock.json` noting that for your project's package name, only `version`, `resolved` and `integrity` keys exist!
8. Run `npm install` a second time while the package-lock.json still exists and note this time the dependencies, devDependencies, etc. are all populated!

### Example Project

### What is the current *bug* behavior?

`npm install` for a GitLab NPM registry hosted package fails on a fresh install (no package-lock.json)!

### What is the expected *correct* behavior?

`npm install` should work on a fresh install.

### Relevant logs and/or screenshots

My speculation is that `npm install` needs additional metadata in the HTTP response from the NPM registry for initial installs to traverse dependencies and install those.

If you compare the response of the GitLab NPM registry endpoint: https://gitlab.com/api/v4/packages/npm/@my-group%2fmy-project
to the official NPM registry (using package _mkdirp_ as an example): https://registry.npmjs.org/mkdirp

Note the plethora of additional metadata included in the response. Specifically: under a given version number key, GitLab appears to ONLY include `name`, `version`, `dist` (and even then, `dist` only contains `shasum` and `tarball`).

If you want to examine the response JSON version key structure more closely and have curl and jq installed, try:
`curl -s https://registry.npmjs.org/mkdirp | jq '.versions."0.5.1"'`

Specifically, I believe `npm install` is looking for `dependencies`, `devDependencies`, etc. in the response to also install those in the same atomic `npm install` command. Without that metadata, a second `npm install` is required on a fresh install until package-lock.json exits.

### Output of checks

This bug happens on GitLab.com

#### Results of GitLab environment info

This bug happens on GitLab.com

#### Results of GitLab application Check

This bug happens on GitLab.com

### Possible fixes

A possible workaround right now is simply to execute the install twice: `npm install && npm install`. Pretty lame and not acceptable or scalable to our entire team, CI pipelines, etc. from my organization's perspective. :chart_with_downwards_trend:

Edited May 30, 2019 by Cameron Boulton

NPM Registry Endpoint Response Lacks Package Dependency Metadata; Breaks NPM

Summary

Steps to reproduce

Example Project

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Results of GitLab application Check

Possible fixes

Linked issues