Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http://registry.npmjs.org not https://registry.npmjs.org #6365

Closed
msbit opened this issue Sep 7, 2018 · 4 comments
Closed

http://registry.npmjs.org not https://registry.npmjs.org #6365

msbit opened this issue Sep 7, 2018 · 4 comments
Assignees
@torifat
Labels
triaged

Comments

@msbit
Copy link

msbit commented Sep 7, 2018

Do you want to request a feature or report a bug?

Possible bug, depending on whether yarn is meant to handle this or not.

What is the current behavior?

yarn upgrade has replaced resolved URLs for packages previously at https://registry.yarnpkg.com with http://registry.npmjs.org, e.g:

 babel-plugin-syntax-async-functions@^6.8.0:
   version "6.13.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"
+  resolved "http://registry.npmjs.org/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"

What is the expected behavior?

If the choice of scheme http vs https is handled by yarn, ideally this would be resolving to https to help avoid MITM attacks, so the above diff would be:

 babel-plugin-syntax-async-functions@^6.8.0:
   version "6.13.0"
-  resolved "https://registry.yarnpkg.com/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"
+  resolved "https://registry.npmjs.org/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz#cad9cad1191b5ad634bf30ae0872391e0647be95"

Please mention your node.js, yarn and operating system version.

Node: v10.9.0
Yarn: 1.9.4
OS: Mac OS X 10.13.6 (17G65)
@ghost ghost assigned torifat Sep 7, 2018
@ghost ghost added the triaged label Sep 7, 2018
@edmorley
Copy link
Contributor

Hi! This is #6259, which was fixed by #6353 on master, but not yet released.

@edmorley
Copy link
Contributor

Ah actually Yarn v1.10.0 has now been released which includes that fix. Could you give it a try? :-)

@msbit
Copy link
Author

msbit commented Sep 10, 2018

@edmorley Yep, 1.10.0 sorts this out! I'd misinterpreted the bug as early action on #5891, but it's definitely #6259 as you'd pointed out!

@msbit msbit closed this as completed Sep 10, 2018
@gasi
Copy link

gasi commented Nov 27, 2018

What’s the best way to upgrade the yarn.lock file after upgrading from 1.9.4 to >1.10.0 to fix the http://registry.npmjs.org issue? I’ve tried yarn upgrade but that includes unwanted upgrades and manual find/replace seems hacky. Is there something like yarn upgrade that preserves all existing versions (preventing a large testing effort on the app) while replacing the wrong registry and also adding integrity field in yarn.lock file?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@torifat torifat

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gasi @torifat @edmorley @msbit