Fetch npm packages from the GitLab cache

Problem to solve

In #241243 (closed), we started caching packages fetched from npm's public registry. However, when fetching packages, we are not currently resolving them from the cache.

In order to increase the reliability of pipelines, we should deliver packages from the cache when not found in the npm public registry.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)

User experience goal

The user should have confidence that their dependencies are available even if the npm public registry isn't.

Proposal

A request for an npm package will go to GitLab -> npmjs.com -> Dependency Prox cache. Only if a package is not found in the first two options should we pull it from the cache.

Further details

Benefits

By only looking for the package in the cache after it has not been found in either GitLab or npmjs.com, we can deliver an MVC that will increase the reliability of builds without worrying about auto-updating the cache or delivering the wrong versions of a given package.

Permissions and Security

• There are no permissions changes required for this issue.

Documentation

• Dependency Proxy docs
• NPM Registry
• Dependency Proxy cache clearing

Availability & Testing

What does success look like, and how can we measure that?

Success looks like we can begin to dogfood this feature and avoid any issues due to outages of mpmjs.com.

Metrics

• how often is the cache hit
• how often was a package searched for and found on npmjs.com
• how often could it have been pulled from the cache

What is the type of buyer?

• This feature will be focused on mid to large size enterprises.

Is this a cross-stage feature?

Links / references