Yarn: http://registry.npmjs.org not https://registry.npmjs.org

Created on 7 Sep 2018  路  4Comments  路  Source: yarnpkg/yarn

Do you want to request a feature or report a bug?

Possible bug, depending on whether yarn is meant to handle this or not.

What is the current behavior?

yarn upgrade has replaced resolved URLs for packages previously at https://registry.yarnpkg.com with http://registry.npmjs.org, e.g:

 babel-plugin-syntax-async-functions@^6.8.0:
   version "6.13.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"
+  resolved "http://registry.npmjs.org/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"

What is the expected behavior?

If the choice of scheme http vs https is handled by yarn, ideally this would be resolving to https to help avoid MITM attacks, so the above diff would be:

 babel-plugin-syntax-async-functions@^6.8.0:
   version "6.13.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"
+  resolved "https://registry.npmjs.org/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"

Please mention your node.js, yarn and operating system version.

Node: v10.9.0
Yarn: 1.9.4
OS: Mac OS X 10.13.6 (17G65)

triaged
Source
picture msbit

All 4 comments

Hi! This is #6259, which was fixed by #6353 on master, but not yet released.

edmorley picture edmorley on 10 Sep 2018

Ah actually Yarn v1.10.0 has now been released which includes that fix. Could you give it a try? :-)

edmorley picture edmorley on 10 Sep 2018
👍1

@edmorley Yep, 1.10.0 sorts this out! I'd misinterpreted the bug as early action on #5891, but it's definitely #6259 as you'd pointed out!

msbit picture msbit on 10 Sep 2018
👍1

What鈥檚 the best way to upgrade the yarn.lock file after upgrading from 1.9.4 to >1.10.0 to fix the http://registry.npmjs.org issue? I鈥檝e tried yarn upgrade but that includes unwanted upgrades and manual find/replace seems hacky. Is there something like yarn upgrade that preserves all existing versions (preventing a large testing effort on the app) while replacing the wrong registry and also adding integrity field in yarn.lock file?

gasi picture gasi on 27 Nov 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sebmck picture sebmck  路  3Comments
danez picture danez  路  3Comments
bouk picture bouk  路  3Comments
Ambroos picture Ambroos  路  3Comments
MunifTanjim picture MunifTanjim  路  3Comments