Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Metadata retrieval errors when using COREPACK_NPM_REGISTRY in combination with Sonatype Nexus #479

Open
PayBas opened this issue May 13, 2024 · 20 comments

Comments

@PayBas
Copy link

PayBas commented May 13, 2024

@aduh95 @arcanis
#436 has broken COREPACK_NPM_REGISTRY in combination with Sonatype Nexus repository manager.

ARG YARN_VERSION
ARG NPM_REGISTRY_URL="https://nexus.megacorp.com/repository/npmjs-proxy/"
ENV COREPACK_NPM_REGISTRY $NPM_REGISTRY_URL

RUN  npm config set registry $NPM_REGISTRY_URL \
  && npm install --global corepack@latest \
  && corepack enable \
  && corepack install --global yarn@${YARN_VERSION} \
  && yarn config set --home npmRegistryServer $NPM_REGISTRY_URL

Results in:

Installing yarn@4.2.1...
Internal Error: Server answered with HTTP 400 when performing the request to https://nexus.megacorp.com/repository/npmjs-proxy//@yarnpkg/cli-dist/4.2.1; for troubleshooting help, see https://github.com/nodejs/corepack#troubleshooting
    at fetch (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:22769:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async fetchAsJson (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:22776:20)
    at async fetchTarballURLAndSignature (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:22724:27)
    at async installVersion (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:22987:52)
    at async Engine.ensurePackageManager (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:23449:32)
    at async InstallGlobalCommand.installFromDescriptor (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:23846:5)
    at async InstallGlobalCommand.execute (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:23828:9)
    at async InstallGlobalCommand.validateAndExecute (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:20954:22)
    at async _Cli.run (/home/jenkins/.npm-global/lib/node_modules/corepack/dist/lib/corepack.cjs:21929:18)

Nexus doesn't provide metadata at the ${npmRegistryUrl}/${packageName}/${version} url.
I believe it only serves metadata at the ${npmRegistryUrl}/${packageName} url.

So this change breaks corepack for Nexus and perhaps Artifactory as well.

Had to revert to corepack 0.26.0

Update

I've found a public Nexus instance to show what I mean:
Web view: https://nexus3.onap.org/#browse/browse:npm:%40yarnpkg%2Fcli-dist
Artifact: https://nexus3.onap.org/repository/npm/%40yarnpkg/cli-dist/-/cli-dist-4.2.1.tgz
Metadata: https://nexus3.onap.org/repository/npm/%40yarnpkg/cli-dist

There is no metadata available at https://nexus3.onap.org/repository/npm/%40yarnpkg/cli-dist/4.2.1 !

@BasixKOR
Copy link

Is this reported to Sonatype as well? It seems like the incompatiblity lies on Nexus itself rather than the Corepack implementation.

@aduh95
Copy link
Contributor

aduh95 commented Jul 16, 2024

Possibly a duplicate of #498. Can you test with Corepack 0.29.x?

@jasonschroeder-sfdc
Copy link

Sonatype changed behavior in NEXUS-42854 , mentioned in the release notes , but it doesn't seem to be a sufficient fix.

@PayBas
Copy link
Author

PayBas commented Jul 30, 2024

Sonatype changed behavior in NEXUS-42854 , mentioned in the release notes , but it doesn't seem to be a sufficient fix.

Indeed NXRM 3.70.0 has changed this behavior, but it is still not compatible with corepack.

https://registry.npmjs.com/@yarnpkg/cli-dist/4.3.1

{
  "name": "@yarnpkg/cli-dist",
  "version": "4.3.1",
  "license": "BSD-2-Clause",
  "_id": "@yarnpkg/cli-dist@4.3.1",
  "bin": {
    "yarn": "bin/yarn.js",
    "yarnpkg": "bin/yarn.js"
  },
  "dist": {
    "shasum": "409cdab09b1f792d4e6bad5aa687320943b0d4cc",
    "tarball": "https://registry.npmjs.org/@yarnpkg/cli-dist/-/cli-dist-4.3.1.tgz",
    "fileCount": 5,
    "integrity": "sha512-Vpi/Nbu2SLXGRdKvuxhT0WNe3jOL/LM0Wl58yxUN9WcaQnCYyuIILNS3R35lujao1ZXoAN35d9vAsevzStDreQ==",
    "signatures": [
      {
        "sig": "MEYCIQDXpotyvZmuMzXobmJiotkmf/yvk+2IcPLdleVWTjZHlAIhAJA1Lh0fuNvB6nRSi5GzocTWyNej/F346E7HhuUGefSD",
        "keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA"
      }
    ],
    "unpackedSize": 2747220
  },
  "engines": {
    "node": ">=18.12.0"
  },
  "_npmUser": {
    "name": "yarnbot",
    "email": "nison.mael+yarnbot.npm@gmail.com"
  },
  "repository": {
    "url": "ssh://git@github.com/yarnpkg/berry.git",
    "type": "git",
    "directory": "packages/yarnpkg-cli"
  },
  "directories": {},
  "_hasShrinkwrap": false,
  "_npmOperationalInternal": {
    "tmp": "tmp/cli-dist_4.3.1_1718952731591_0.6413408756169847",
    "host": "s3://npm-registry-packages"
  }
}

https://nexus.megacorp.com/repository/npmjs-proxy/%40yarnpkg/cli-dist/4.3.1

{
  "_id": "@yarnpkg/cli-dist@4.3.1",
  "maintainers": [
    {
      "name": "daniel15",
      "email": "npm@d.sb"
    },
    {
      "name": "bestander",
      "email": "bestander@gmail.com"
    },
    {
      "name": "cpojer",
      "email": "christoph.pojer@gmail.com"
    },
    {
      "name": "arcanis",
      "email": "nison.mael@gmail.com"
    },
    {
      "name": "yarnbot",
      "email": "nison.mael+yarnbot.npm@gmail.com"
    }
  ],
  "license": "BSD-2-Clause",
  "dist-tags": {
    "v3": "3.8.3",
    "latest": "4.3.1"
  },
  "versions": {
    huge list of versions
  },
  "_rev": "66-3a3158dea3a016d10f8c72876b5d7be4",
  "name": "@yarnpkg/cli-dist",
  "time": {
    "created": "2021-04-09T11:18:13.039Z",
    "modified": "2024-07-25T12:13:04.535Z",
    "2.4.1": "2021-04-09T11:18:13.374Z",
    "3.0.0-rc.1": "2021-04-12T08:37:17.751Z",
    "3.0.0-rc.2": "2021-04-12T14:54:14.320Z",
    "3.0.0-rc.3": "2021-06-03T14:55:53.984Z",
    "3.0.0-rc.4": "2021-06-03T15:35:43.365Z",
    "2.4.2": "2021-06-03T16:01:55.314Z",
    "3.0.0": "2021-07-26T16:10:51.916Z",
    "3.0.1": "2021-08-22T21:01:32.655Z",
    "3.0.2": "2021-09-03T12:25:05.172Z",
    "3.1.0": "2021-10-25T14:57:38.351Z",
    "3.1.1": "2021-11-26T13:36:24.297Z",
    "3.2.0": "2022-02-21T13:04:45.372Z",
    "3.2.1": "2022-05-13T10:35:13.285Z",
    "3.2.2": "2022-07-21T12:52:26.715Z",
    "3.2.3": "2022-08-24T18:35:28.355Z",
    "3.2.4": "2022-10-05T16:44:57.592Z",
    "3.3.0": "2022-11-16T09:06:30.157Z",
    "3.3.1": "2022-12-20T16:05:09.449Z",
    "4.0.0-rc.35": "2023-01-09T01:13:52.390Z",
    "4.0.0-rc.36": "2023-01-18T16:59:29.806Z",
    "4.0.0-rc.37": "2023-01-29T12:51:45.270Z",
    "3.4.0": "2023-02-01T09:28:36.780Z",
    "3.4.1": "2023-02-01T16:15:20.181Z",
    "4.0.0-rc.38": "2023-02-04T13:11:54.127Z",
    "4.0.0-rc.39": "2023-02-08T07:53:10.481Z",
    "4.0.0-rc.40": "2023-03-05T16:51:01.498Z",
    "3.5.0": "2023-03-16T21:30:03.314Z",
    "4.0.0-rc.41": "2023-03-27T11:28:58.453Z",
    "4.0.0-rc.42": "2023-03-30T07:49:51.073Z",
    "3.5.1": "2023-05-01T18:58:44.561Z",
    "4.0.0-rc.43": "2023-05-01T20:13:10.935Z",
    "4.0.0-rc.44": "2023-05-17T14:51:46.551Z",
    "3.6.0": "2023-06-01T21:15:42.274Z",
    "4.0.0-rc.45": "2023-06-01T21:56:27.007Z",
    "3.6.0-git.20230603.hash-45f6ecc9": "2023-06-03T17:11:27.541Z",
    "3.6.0-git.20230603.hash-9645df4d": "2023-06-03T17:32:48.119Z",
    "3.6.0-git.20230603.hash-3c8237cb": "2023-06-03T17:38:39.424Z",
    "4.0.0-rc.46": "2023-06-22T08:20:11.007Z",
    "4.0.0-rc.47": "2023-06-29T09:12:39.333Z",
    "3.6.1": "2023-06-30T22:12:43.702Z",
    "4.0.0-rc.48": "2023-07-02T15:01:11.596Z",
    "4.0.0-rc.49": "2023-08-17T09:34:15.045Z",
    "3.6.2": "2023-08-17T19:10:10.089Z",
    "3.6.3": "2023-08-23T22:14:03.188Z",
    "4.0.0-rc.50": "2023-08-23T22:46:04.799Z",
    "4.0.0-rc.51": "2023-09-17T14:22:43.249Z",
    "4.0.0-rc.52": "2023-09-29T22:02:14.739Z",
    "3.6.4": "2023-10-03T22:19:02.653Z",
    "4.0.0-rc.53": "2023-10-03T23:34:15.182Z",
    "4.0.0": "2023-10-22T16:56:59.265Z",
    "4.0.1": "2023-10-28T15:26:56.339Z",
    "4.0.2": "2023-11-14T09:22:36.270Z",
    "3.7.0": "2023-11-14T18:04:35.535Z",
    "4.1.0": "2024-01-30T15:49:15.231Z",
    "3.8.0": "2024-02-01T20:19:11.188Z",
    "3.8.1": "2024-03-04T22:24:18.570Z",
    "4.1.1": "2024-03-04T23:11:57.106Z",
    "4.2.0": "2024-05-02T16:22:33.560Z",
    "3.8.2": "2024-05-02T17:04:36.111Z",
    "4.2.1": "2024-05-02T17:51:55.024Z",
    "4.2.2": "2024-05-08T17:50:42.768Z",
    "4.3.0": "2024-06-10T18:52:21.867Z",
    "4.3.1": "2024-06-21T06:52:11.814Z",
    "3.8.3": "2024-06-21T15:32:33.189Z"
  },
  "readme": "",
  "readmeFilename": "",
  "repository": {
    "url": "ssh://git@github.com/yarnpkg/berry.git",
    "type": "git",
    "directory": "packages/yarnpkg-cli"
  }
}

I've opened a support ticket at Sonatype in the hopes that they change the version-specific metadata to include a singlar version instead of a versions object containing all versions.

@yasinkocak
Copy link

We got the same issue with our organization, we can not update corepack

@PayBas
Copy link
Author

PayBas commented Jul 30, 2024

Yes, this is known issue, it is fixed in the upcoming 3.71.0 release, which is currently targeted to come out on August 6th.

Direct quote from Sonatype.

@aduh95
Copy link
Contributor

aduh95 commented Aug 9, 2024

Is this still an issue?

@smsalisbury
Copy link

Yes, this is known issue, it is fixed in the upcoming 3.71.0 release, which is currently targeted to come out on August 6th.

Direct quote from Sonatype.

3.71.0 was released last week. Can anyone who has already upgraded confirm that the release fixed this issue for them?

@PayBas
Copy link
Author

PayBas commented Aug 19, 2024

A quick test shows that unfortunately, the issue persists. I cannot see any difference between Nexus 3.70.1 and 3.71.0. There is also no mention of the issue in the 3.71.0 release notes

I'll reopen the Sonatype support ticket.

I guess we're stuck on corepack@0.26.0 for at least another couple weeks.

Update: reply from Sonatype:

I do apologize, but there appears to have been some slippage in the release schedule for this fix.
It is actually marked as being released with the 3.72.0 version.

@av-mc
Copy link

av-mc commented Aug 21, 2024

Thanks @PayBas for the update.
I'm having the mismatch hash issue (which is solved in issue 296) with corepack@0.26.0, so I have to update to corepack@0.28.0, and now I'm stuck with this issue.
Any suggestion to work around?

@PayBas
Copy link
Author

PayBas commented Aug 22, 2024

Thanks @PayBas for the update. I'm having the mismatch hash issue (which is solved in issue 296) with corepack@0.26.0, so I have to update to corepack@0.28.0, and now I'm stuck with this issue. Any suggestion to work around?

As long as your CI server and all your developers use the exact same COREPACK_NPM_REGISTRY value, then the "packageManager": "yarn@..." hash should be stable.

Just replace the hash in your package.json with the one in your error message. That's how we fixed it.

@av-mc
Copy link

av-mc commented Aug 22, 2024

Just replace the hash in your package.json with the one in your error message. That's how we fixed it.

Awesome. This works for me with corepack@0.26.0. Thank you so much!

@Robbson
Copy link

Robbson commented Aug 28, 2024

This error regrading Sonatype Nexus reminds me of a similar issue when trying to download a package manager using Corepack, starting with Yarn:

Internal Error: Server answered with HTTP 404 when performing the request to 
https://****/repository/proxy_npm_official/@yarnpkg/cli-dist/4.3.1; for troubleshooting help, see https://github.com/nodejs/corepack#troubleshooting
at fetch (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:21616:11)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async fetchAsJson (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:21623:20)
at async fetchTarballURLAndSignature (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:21571:27)
at async installVersion (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:21833:52)
at async Engine.ensurePackageManager (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:22310:32)
at async InstallGlobalCommand.installFromDescriptor (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:22707:5)
at async Promise.all (index 0)
at async InstallGlobalCommand.execute (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:22685:5)
at async InstallGlobalCommand.validateAndExecute (/home/containeruser/lib/node_modules/corepack/dist/lib/corepack.cjs:19835:22)

The issue appears as soon as we switch to Corepack 0.24.0 or later. I guess it's all related to this decision.

That's pretty strange because we don't have any install/download issues at all for packages coming from Nexus V3.66 using npm, pnpm or yarn. So Corepack does something special which leads to a 404 error instead.

Of course, you could remove the COREPACK_NPM_REGISTRY env variable so it fetches the tool from the original yarn source like before 0.24.0. But that way other package managers like pnpm can't be installed because without COREPACK_NPM_REGISTRY the original npm registry is requested, which is not available for us.

So COREPACK_NPM_REGISTRY has to be enabled or disabled depending on which package manager you are going to install? That's kind of ridiculous, isn't it? I guess that's why Corepack is still described as experimental in the NodeJS docs.

So switching back to 0.23.0 is the best and easiest solution for us so far.

@PayBas
Copy link
Author

PayBas commented Sep 9, 2024

3.72.0 release notes mention:

NEXUS-43608 : Requests for version-specific scoped npm metadata return the expected metadata.

This should be the fix. Haven't had the opportunity to test it yet though.

@jackmtpt
Copy link

jackmtpt commented Sep 9, 2024

3.72.0 includes a partial fix it seems - the version-specific metadata is there...but the .dist.tarball property still points at the upstream feed URL instead of pointing back into the Nexus Repository server 🤦

@PayBas
Copy link
Author

PayBas commented Sep 9, 2024

3.72.0 includes a partial fix it seems - the version-specific metadata is there...but the .dist.tarball property still points at the upstream feed URL instead of pointing back into the Nexus Repository server 🤦

Sigh. I'll open another ticket...

Update: Sonatype has acknowledged the issue and are tracking it under internal ticket NEXUS-44175. Whether this will result in a 3.72.1 or if we have to wait for 3.73.0 remains to be seen. It probably depends on whether the issue breaks current deployments.

@PayBas
Copy link
Author

PayBas commented Sep 26, 2024

Work on NEXUS-44175 has been completed. It didn't make the cut for 3.73.0, so it will be in the 3.74.0 release. That release is currently targeted to come out in the first week of November.

Guess we'll have to wait quite a while longer. 😞

@PayBas
Copy link
Author

PayBas commented Nov 19, 2024

https://help.sonatype.com/en/sonatype-nexus-repository-3-74-0-release-notes.html contains:

NEXUS-44175 - Requests for version-specific npm package metadata returns the correct download URL.

Haven't had time to test it yet, but with any luck this might finally solve this issues.

Update: tested 3.74.0, but there's still an issue with the tarball metadata value, so that will probably still prevent it from working (although I haven't actually tested it with corepack yet).

Created yet another support ticket.

the URL is still not correct (the @4.1.0 does not belong in the URL). I have entered defect NEXUS-45088 to have this addressed.

@jackmtpt
Copy link

jackmtpt commented Dec 5, 2024

Update: tested 3.74.0, but there's still an issue with the tarball metadata value, so that will probably still prevent it from working (although I haven't actually tested it with corepack yet).

I have tested it with corepack; it doesn't work. My support ticket has also been linked to NEXUS-45088.

@jackmtpt
Copy link

Apparently this issue isn't expected to be fixed until the February release at the earliest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants