Fix wildcard search for package.json in npm upload (!159016) · Merge requests · GitLab.org / GitLab

Moaz Khalifa requested to merge 471629-fix-wildcard-package.json-search-in-npm-upload into 17-1-stable-ee Jul 10, 2024

Context

In Fix publishing npm package with custom root fol... (!155842 - merged), we wanted to fix a situation where users can deviate from NPM standard way of uploading packages and use custom root directory names. So instead of looking for the package.json file using the search path package/packag.json, we update it to be */package.json.

That worked, but caused another issue: */package.json is a wildcard search term. So if we have a package with multiple nested package.json files, */package.json search term will pick the first one, regardless of whether it's the root package.json or not. So we might end up having the incorrect package.json that belongs to a nested directory, while what we want is the main package.json which should be in the root of the uploaded package.

This caused this incident on gitlab.com. To fix it, we revert to the strict matching using package/packag.json. This will make the uploading of the packages with custom root directory not work, but we will address this in another fix. The priority now is to fix the production issue, and that's why we go back to the strict matching.

What does this MR do and why?

This is a backport MR that targets the stable branch of milestone 17.1. We need this backport because the security fix https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4212 was also backported to 17.1. This means we need this backport to prevent the same incident from hitting the self-managed instances on version 17.1.

Screenshots or screen recordings

N/A

How to set up and validate locally

Create a testing NPM package with another nested NPM package.
Make sure the nested package has a package.json file too.
Publish it to the npm Registry.
The package should be published successfully

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
The MR that fixed the bug on the default branch has been deployed to GitLab.com (not applicable for documentation or spec changes).
This MR has a severity label assigned (if applicable).
Set the milestone of the merge request to match the target backport branch version.
This MR has been approved by a maintainer (only one approval is required).
Ensure the e2e:package-and-test-ee job has either succeeded or been approved by a Software Engineer in Test.

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

Refer to the patch release runbook for engineers and maintainers for guidance.
Ask questions on the #releases Slack channel (internal only).

Related to #471629

Edited Jul 10, 2024 by Moaz Khalifa

Fix wildcard search for package.json in npm upload