Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Some packages in the npm registry use a npm-shrinkwrap with resolved urls to other registries. For example [email protected]
$ curl -sS "$(npm info [email protected] dist.tarball)" | tar xzO package/npm-shrinkwrap.json | rg resolved | head -n 1
"resolved": "https://registry.yarnpkg.com/@jsii/check-node/-/check-node-1.33.0.tgz#55d75cbef1c84e2012c67ab8d6de63f773be4a9b",
With npm v6 the resolved url appears to be ignored and npm uses the configured registry instead. With v7 npm makes requests to registry.yarnpkg.com. We run a private registry and network isolate our builds so requests to yarnpkg are failing.
Expected Behavior
I can understand how this is a feature, but I'm not sure it was intended. In general I think the behavior of resolved urls in lock and shrinkwraps needs to be better documented and configurable.
I'll take a pass at documentation based on this discussion
Steps To Reproduce
With npm v6 I notice that their resolved url is ignored and packages are fetched from the configured registry.
$ npm -v
6.14.13
# Without package-lock
$ rm node_modules ~/.npm/_cacache -rf
$ npm install [email protected] --verbose |& rg 'yarnpkg'
# No match
But with v7 the shrinkwrap resolved url is respected.
$ npm -v
7.21.0
$ rm node_modules ~/.npm/_cacache -rf
$ npm install [email protected] --verbose |& rg 'yarnpkg'
npm http fetch GET 200 https://registry.yarnpkg.com/y18n/-/y18n-5.0.8.tgz#7f4934d0f7ca8c56f95314939ddcd2dd91ce1d55 762ms (cache miss)
...
Environment
- OS: Ubuntu
- Node: 16.8.0
- npm: 7.21.0