Skip to content

Update the NPM instance endpoint to find the correct package

Radamanthus Batnag requested to merge 273427-update-npm-instance-endpoint-to-handle-same-package-names-in-multiple-projects into master

What does this MR do and why?

This MR fixes the bug reported in #273427.

Overview of the Problem

When installing an NPM package using the instance endpoint, if the package exists in multiple projects, the metadata endpoint returns the packages from only one project. If the version passed to npm CLI is not in the returned versions, then the npm CLI returns "No matching version found".

Overview of the Solution

The MR changes how we're finding the list of packages

  • this was lifted from !108899 (closed), with some corrections and additional spec coverage
  • in the current code, the result is always scoped to a single project, even if the request was at the instance scope
  • in this MR we call PackageFinder with the namespace, if the endpoint was called with a namespace

The changes are hidden behind a feature flag because NPM is the most widely used package format for the Package Registry. This way, if we encounter issues in production, we can easily revert by turning off the feature flag.

  1. Adds a spec context that sets up the conditions reported in the issue:
  • there exists another project that hosts another package with the same name, but a different version

Screenshots or screen recordings

Error response when installing @mygroup/foo@1.0.0 with the feature flag disabled:

rad@mjolnirv3 ~/p/t/foo [1]> npm i @mygroup/foo@1.0.0 
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @mygroup/foo@1.0.0.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/rad/.npm/_logs/2023-02-16T08_58_55_863Z-debug-0.log

How to set up and validate locally

  1. Setup
  • create a group named mygroup
  • create a project named project1 under mygroup with public visibility
  • create a project named project2 under mygroup with public visibility
  • publish an npm package named @mygroup/foo version 1.0.0 under project1
  • publish an npm package named @mygroup/foo version 2.0.0 under project2
  • create a personal access token
  • add the instance endpoint with the personal access token to .npmrc
  1. With the :npm_allow_packages_in_multiple_projects feature flag disabled:

npm i @mygroup/foo@2.0.0 installs successfully

npm i @mygroup/foo@1.0.0 fails with a "No matching version found" response

  1. With the :npm_allow_packages_in_multiple_projects feature flag enabled:

npm i @mygroup/foo@2.0.0 installs successfully

npm i @mygroup/foo@1.0.0 installs successfully

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #273427

Edited by Radamanthus Batnag

Merge request reports