Skip to content

Add support for npm deprecate

Moaz Khalifa requested to merge 396763-Add-support-for-npm-deprecate into master

What does this MR do and why?

Adds support for npm deprecate

This command will update the npm registry entry for a package, providing a deprecation warning to all who attempt to npm install it.

It works on version ranges as well as specific versions. CLI examples:

npm deprecate @scope/package_name "All package versions are deprecated"
npm deprecate @scope/package_name@1.0.1 "Only version 1.0.1 is deprecated"
npm deprecate @scope/package_name@"< 1.0.5" "All 1.0.5 prerelease versions are deprecated"
npm deprecate @scope/package_name@1.x "All 1.x versions are deprecated"

we can un-deprecate a package version by sending the deprecation warning as empty string:

npm deprecate @scope/package_name ""
npm deprecate @scope/package_name@1.0.1 ""
npm deprecate @scope/package_name@"< 1.0.5" ""
npm deprecate @scope/package_name@1.x ""

How does npm deprecate work?

  1. When we hit npm deprecate, NPM would send a get request to the package registry metadata endpoint i.e: get "/api/v4/projects/:id/packages/npm/:package_name"
  2. After receiving the metadata endpoint response, npm would attach this response as a request body to a put request to the same endpoint that handles npm publish i.e put "/api/v4/projects/:id/packages/npm/:package_name"
  3. In npm publish endpoint, we need to check for the 'Npm-Command' header, and if its value is deprecate we can let the deprecation service HandlePackageDeprecationService handle the request.
  4. each npm package has a npm_metadatum record in packages_npm_metadata table. In order to deprecate a package, we need to add a deprecated key with the deprecation warning as value to the npm_metadatum's package_json jsonb field.
Since we use the same endpoint of npm publish, this command is only supported on the project level.

Screenshots or screen recordings

Screenshot_2023-04-11_at_16.03.34

Screenshot_2023-04-11_at_18.13.54

How to set up and validate locally

  1. Publish multiple versions of an npm package to your local GitLab package registry.
  2. Run npm deprecate from the root of the package and try the variations of deprecate/un-deprecate examples mentioned above.
  3. When deprecating a package version, you should see a deprecation warning when you try to run npm install.
  4. You should also see the deprecation warning when you run npm view to get the package metadata.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #396763 (closed)

Database Analysis

!117009 (comment 1349678778)

Edited by Moaz Khalifa

Merge request reports