Cli: [QUESTION] npm update or install switching from registry.npmjs.org to registry.npm.taobao.org

Created on 14 Jun 2020 · 9Comments · Source: npm/cli

What / Why

Over the last few days after running npm update my package-lock.json has been switching resolved values from registry.npmjs.org to registry.npm.taobao.org.

npm config list results in the following:

; cli configs
metrics-registry = "https://registry.npmjs.org/"
scope = ""
user-agent = "npm/6.14.5 node/v12.13.1 darwin x64"

I'm based in the US, and am able to access https://registry.npmjs.org/ without issue.

Where

Who

self

References

Example package.json that is triggering this. No new packages in weeks, just keeping up to date with npm update as needed.

{
  "name": "vuejs-tutorial",
  "version": "0.1.0",
  "private": true,
  "scripts": {
    "serve": "vue-cli-service serve",
    "build": "vue-cli-service build",
    "lint": "vue-cli-service lint"
  },
  "dependencies": {
    "bootstrap": "^4.5.0",
    "bootstrap-vue": "^2.15.0",
    "rpg-dice-roller": "^4.1.1",
    "vue": "^2.6.11",
    "vue-class-component": "^7.2.2",
    "vue-property-decorator": "^8.5.0"
  },
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^3.2.0",
    "@typescript-eslint/parser": "^3.2.0",
    "@vue/cli-plugin-eslint": "^4.4.4",
    "@vue/cli-plugin-typescript": "^4.4.4",
    "@vue/cli-service": "^4.4.4",
    "@vue/eslint-config-typescript": "^5.0.1",
    "eslint": "^7.2.0",
    "eslint-plugin-jsdoc": "^27.0.7",
    "eslint-plugin-vue": "^6.1.2",
    "typescript": "^3.9.5",
    "vue-template-compiler": "^2.6.11"
  }
}

If I delete package-lock.json and npm install it switches over to the taobao mirror. I have tried another computer on the same network (using same repo and steps, npm 6.13.something (that I can't upgrade)) and it's not switching where it's pulling from.

I haven't found anyone else reporting this, so I'm curious how I could go about troubleshooting why npm isn't using my registry of choice.

Thanks! :)

Question Release 6.x

Source

JamesSkemp

Most helpful comment

Ah ha.

As you pointed out, the first commit of package-lock.json was referencing taobao, for every package. Based upon the message and how I usually start off projects, that initial commit was created via the vue ui command.

I've been able to run that tool twice (once on 4.4.1 and once with the newest 4.4.6) and been able to confirm that once it finishes the new project creation it's referencing taobao.org in package-lock.json. I don't see any other taobao references in the project, or other registries in package-lock.json.

Searching for that behavior points me to https://github.com/vuejs/vue-cli/issues/1433, which sounds like it _might_ be timeout issue.

Either way, taobao is being forced when I use the vue ui, which is why it started with that registry being referenced.

Interestingly, if I npm outdated and npm install eslint@latest (one of the outdated packages), it does add packages pointing to npmjs, and change some existing ones from taobao to npmjs.

So the thought is that it's bouncing back and forth between npmjs (what I have configured) and taobao, despite the version not changing, because it might have a reference cached?

But then why would it change packages that didn't have a new version referenced, and why would they flip back and forth, as is seen in https://github.com/JamesSkemp/vuejs-tutorial/pull/1/commits/24ac06efa41961d3e7054cc89d8a6d8dcdea01c4 and https://github.com/JamesSkemp/vuejs-tutorial/pull/1/commits/4fe91dea2adad1bc645481ebb72c22a8f1c7f62f , where the deep-is package (line 2888) swaps back and forth, on the same version (and presumably with the parent referencing the same registry between versions, since we're not seeing it in the file change log)?

JamesSkemp on 24 Jun 2020

👍2

All 9 comments

Some additional items of note from package-lock.json, in case it helps.

Some changed lines include:

Resolved changes, as noted above:

       "dependencies": {
         "ansi-regex": {
           "version": "2.1.1",
-          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
+          "resolved": "https://registry.npm.taobao.org/ansi-regex/download/ansi-regex-2.1.1.tgz",
           "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=",
           "dev": true
         },
         "ansi-styles": {
           "version": "2.2.1",
-          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz",
+          "resolved": "https://registry.npm.taobao.org/ansi-styles/download/ansi-styles-2.2.1.tgz",
           "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4=",
           "dev": true
         },

Resolved changes and there's some additional parameters passed along:

         "supports-color": {
           "version": "2.0.0",
-          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
+          "resolved": "https://registry.npm.taobao.org/supports-color/download/supports-color-2.0.0.tgz?cache=0&sync_timestamp=1573220230429&other_urls=https%3A%2F%2Fregistry.npm.taobao.org%2Fsupports-color%2Fdownload%2Fsupports-color-2.0.0.tgz",
           "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=",
           "dev": true
         }

An actually updated package is fine:

     "vue-property-decorator": {
-      "version": "8.4.2",
-      "resolved": "https://registry.npmjs.org/vue-property-decorator/-/vue-property-decorator-8.4.2.tgz",
-      "integrity": "sha512-IqbARlvgPE2pzKfbecKxsu2yEH0Wv7hfHR6m4eZA3LTnNw9hveAX77vDfLFyTeMISS5N7Kucp/xRSHjcQ6bAfQ==",
-      "requires": {
-        "vue-class-component": "^7.1.0"
-      }
+      "version": "8.5.0",
+      "resolved": "https://registry.npmjs.org/vue-property-decorator/-/vue-property-decorator-8.5.0.tgz",
+      "integrity": "sha512-0RueJN/shPWf5gM8GLUD6bYiXr+q7bu+S1tgr7XwgBSng10H5DLQjVYfJ5XHAOPFo7fBfY1nxljBQ95qryAiWg=="
     },

JamesSkemp on 14 Jun 2020

Are you still seeing this occur?

jonchurch on 23 Jun 2020

Yes, but I _might_ have some additional information as well?

I ran an npm update to update a single outdated package. This resulted in taobao registry references switching to npmjs. See https://github.com/JamesSkemp/vuejs-tutorial/pull/1/commits/55b797b963ff55eda234fefc75db3f2622810237

I then did a npm install of a different package (but same @vue namespace) and they're getting switched from npmjs to taobao. See https://github.com/JamesSkemp/vuejs-tutorial/pull/1/commits/6ea90a22ff6cd15d9a8889b8408ce18223347413

At this point in time, https://github.com/JamesSkemp/vuejs-tutorial/pull/1 has one remaining outdated npm package. Doing npm install @vue/cli-plugin-typescript and a git diff shows taobao -> npmjs.

After a git checkout package-lock.json package.json, npm install, npm outdated, I npm update @vue/cli-plugin-typescript and also get taobao > npmjs.

So it doesn't appear to be a different between npm install and npm update, as at least that package was consistent ...

JamesSkemp on 23 Jun 2020

👀1

It looks like the initial commit of your package-lock (at least according to the linked repo) was using taobao mirror.

Not sure what could cause this exactly. (Maybe a brief registry service interruption?) When I check out the project and run npm update @vue/cli-plugin-eslint it resolves back to the regular registry in package-lock for those packages. As well as when I do a fresh install after removing package-lock and node_modules.

For a sanity check, can you run npm config get registry and see what the output is?

Just a guess, but maybe there's something going on with your npm cache which is resolving the deps to the taobao mirror.

Perhaps try deleting package-lock and node_modules, then installing with an empty cache:

npm i --cache=/tmp/empty-cache

Lastly, are you behind a company firewall or is there anything unique about your network setup by any chance?

jonchurch on 23 Jun 2020

🎉1

npm config get registry returns https://registry.npmjs.org/

No company firewall for these runs, just a normal connection (provided by Charter/Spectrum, United States).

Following your suggestions everything switched over from taobao, and I was able to update without issue. I know I did delete the package-lock.json before, but can't recall if I deleted node_modules. I know I have in the past, but can't recall if I did it 9 days ago ...

I'm going to see if I have any other repos that are pointing to taobao.

JamesSkemp on 24 Jun 2020

👍1

Nope, no other Git project locally includes a package-lock.json reference to taobao.

So when I initially set this up, for some reason my registry was (possibly?) pointing to taobao, and then despite the npmjs registry configuration locally, it would occasionally pull from taobao instead of npmjs to update the references?

JamesSkemp on 24 Jun 2020

Ah ha.

Searching for that behavior points me to https://github.com/vuejs/vue-cli/issues/1433, which sounds like it _might_ be timeout issue.

Either way, taobao is being forced when I use the vue ui, which is why it started with that registry being referenced.

Interestingly, if I npm outdated and npm install eslint@latest (one of the outdated packages), it does add packages pointing to npmjs, and change some existing ones from taobao to npmjs.

So the thought is that it's bouncing back and forth between npmjs (what I have configured) and taobao, despite the version not changing, because it might have a reference cached?

JamesSkemp on 24 Jun 2020

👍2

Possibly related:

I installed a single package (typescript, via npm -i typescript --save-dev), but innumerable* resolved records in package-lock.json were updated from npmjs.org registry to taobao.org.

*actually 141 packages had resolved changed without changing any other data in package-lock.json (version number stayed same).

         "ansi-regex": {
           "version": "2.1.1",
-          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
+          "resolved": "https://registry.npm.taobao.org/ansi-regex/download/ansi-regex-2.1.1.tgz",
           "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=",
           "dev": true
         },