Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

npm error loading from invalid packument

See original GitHub issue

Your Environment

verdaccio version: 6.0.0-6-next.30
node version 17.6.0
package manager: npm 8.5.4
os: mac 12.3
platform: npm

Describe the bug On upgrading node (and npm) versions, I noticed that npm install reports error loading from invalid packument. first I thought this is a npm error so I opened https://github.com/npm/cli/issues/4534. unfortunately I could not find what a packument is exactly.

I’m using verdaccio for my private scoped packages.

I updated verdaccio to the latest version -> error still persist
I renamed verdaccio db directory and restarted, having an empty verdaccio and uploaded only the newest versions of the packages (npm publish --registry http://localhost:4873 tarball) -> error was gone, npm succeeded, build succeeded, app is working
Then I decided to put in chronological order all packages (from the old directory) into an empty verdaccio instance, thinking that this will lead to a “clean” verdaccio instance -> BUT the npm error invalid packument reappeared.

To Reproduce I can reproduce at will, but it looks like it depends on my private packages…

Expected behavior

I looks like pakument is something npm is fetching from verdaccio, and it is a description of ALL versions of a package. Can you please explain to me what a packument is AND how it can be fetched manually so that I can check manually and somehow find the problem.

Screenshots, server logs, package manager log

Configuration File (cat ~/.config/verdaccio/config.yaml)

#
# This is the default config file. It allows all users to do anything,
# so don't use it on production systems.
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#

# path to a directory with all packages
storage: /Users/ogi/.local/share/verdaccio/storage

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    #max_users: 1000

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@ogi-it/@ogi-it/pino-colada-xl':
    # this one should be publishable upstream
    access: $all
    publish: $authenticated
    proxy: npmjs

  '@ogi-it/*':
    # my scoped packages - private
    access: $all
    publish: $all # no more login to publish locally
    # do not proxy!! we keep them only locally proxy: npmjs

  '@*/*':
    # scoped packages
    access: $all
    publish: $authenticated
    proxy: npmjs

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $all

    # allow all known users to publish packages
    # (anyone can register by default, remember?)
    publish: $authenticated

    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

# log settings
log: {type: stdout, format: pretty, level: http}
# log: {type: stdout, format: pretty, level: trace}
# log: {type: file, path: verdaccio.log, level: info}
# listen: 0.0.0.0:4873 # listen on all addresses (INADDR_ANY)
listen:  localhost:4873            # default value
# listen:  http://localhost:4873     # same thing
# listen:  https://example.org:4873  # if you want to use https
# listen:  "[::1]:4873"                # ipv6
# listen:  unix:/tmp/verdaccio.sock    # unix socket

Environment information

Environment Info:
  System:
    OS: macOS 12.3
    CPU: (8) x64 Intel(R) Core(TM) i7-7920HQ CPU @ 3.10GHz
  Binaries:
    npm: 8.5.4 - /usr/local/bin/npm
  Virtualization:
    Docker: 20.10.12 - /usr/local/bin/docker
  Browsers:
    Chrome: 99.0.4844.51
    Firefox: 90.0.2
    Safari: 15.4
  npmGlobalPackages:
    verdaccio: 6.0.0-6-next.37

Debugging output

$ NODE_DEBUG=request verdaccio display request calls (verdaccio <–> uplinks)
$ DEBUG=verdaccio* verdaccio enable extreme verdaccio debug mode (verdaccio api)
$ npm -ddd prints:
$ npm config get registry prints:

Contribute to Verdaccio

I’m willing to fix this bug 🥇

Issue Analytics

State:
Created 2 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

Ogniancommented, Mar 17, 2022

OK I think I solved it in my case:

To get the packument I used npx pacote packument @ogi-it/ims --registry=http://localhost:4873 --long

I was able to find where in npm the error is thrown: https://github.com/npm/metavuln-calculator/blob/e6f738c73391945c5d979dc1b7c59b1af671a7fe/lib/advisory.js#L89

Since I remembered that long ago there were issues with capital letters and package names, I did npx pacote packument @ogi-it/ims --registry=http://localhost:4873 --long |egrep 'name|version' and was able to see that before version 1.22.2 IMS was written in capital letters after this version in lower case.

Via find . -name '*.tgz' -type f -print0 | xargs -0 ls -tr >ogialltars in the storage directory, I was also able to see the problem:

In my case I decided to “remove” the old packages with capital letters, by renaming the storage directory, restarting verdaccio, and importing via npm publish only the tarballs after the affected version.

After this npm install succeeded.

I’m not sure if there is anything to do on the verdaccio side. The case thing actually happened years ago, and it was no problem up until now when I changed to node@17.

1reaction

Ogniancommented, Mar 19, 2022

Yes