npm error loading from invalid packument
See original GitHub issueYour Environment
- verdaccio version: 6.0.0-6-next.30
- node version 17.6.0
- package manager: npm 8.5.4
- os: mac 12.3
- platform: npm
Describe the bug
On upgrading node (and npm) versions, I noticed that npm install
reports error loading from invalid packument
.
first I thought this is a npm error so I opened https://github.com/npm/cli/issues/4534.
unfortunately I could not find what a packument is exactly.
I’m using verdaccio for my private scoped packages.
- I updated verdaccio to the latest version -> error still persist
- I renamed verdaccio db directory and restarted, having an empty verdaccio and uploaded only the newest versions of the packages (
npm publish --registry http://localhost:4873 tarball
) -> error was gone, npm succeeded, build succeeded, app is working - Then I decided to put in chronological order all packages (from the old directory) into an empty verdaccio instance, thinking that this will lead to a “clean” verdaccio instance -> BUT the npm error invalid packument reappeared.
To Reproduce I can reproduce at will, but it looks like it depends on my private packages…
Expected behavior
I looks like pakument is something npm
is fetching from verdaccio, and it is a description of ALL versions of a package.
Can you please explain to me what a packument is AND how it can be fetched manually so that I can check manually and somehow find the problem.
Screenshots, server logs, package manager log
Configuration File (cat ~/.config/verdaccio/config.yaml)
#
# This is the default config file. It allows all users to do anything,
# so don't use it on production systems.
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#
# path to a directory with all packages
storage: /Users/ogi/.local/share/verdaccio/storage
auth:
htpasswd:
file: ./htpasswd
# Maximum amount of users allowed to register, defaults to "+inf".
# You can set this to -1 to disable registration.
#max_users: 1000
# a list of other known repositories we can talk to
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'@ogi-it/@ogi-it/pino-colada-xl':
# this one should be publishable upstream
access: $all
publish: $authenticated
proxy: npmjs
'@ogi-it/*':
# my scoped packages - private
access: $all
publish: $all # no more login to publish locally
# do not proxy!! we keep them only locally proxy: npmjs
'@*/*':
# scoped packages
access: $all
publish: $authenticated
proxy: npmjs
'**':
# allow all users (including non-authenticated users) to read and
# publish all packages
#
# you can specify usernames/groupnames (depending on your auth plugin)
# and three keywords: "$all", "$anonymous", "$authenticated"
access: $all
# allow all known users to publish packages
# (anyone can register by default, remember?)
publish: $authenticated
# if package is not available locally, proxy requests to 'npmjs' registry
proxy: npmjs
# log settings
log: {type: stdout, format: pretty, level: http}
# log: {type: stdout, format: pretty, level: trace}
# log: {type: file, path: verdaccio.log, level: info}
# listen: 0.0.0.0:4873 # listen on all addresses (INADDR_ANY)
listen: localhost:4873 # default value
# listen: http://localhost:4873 # same thing
# listen: https://example.org:4873 # if you want to use https
# listen: "[::1]:4873" # ipv6
# listen: unix:/tmp/verdaccio.sock # unix socket
Environment information
Environment Info:
System:
OS: macOS 12.3
CPU: (8) x64 Intel(R) Core(TM) i7-7920HQ CPU @ 3.10GHz
Binaries:
npm: 8.5.4 - /usr/local/bin/npm
Virtualization:
Docker: 20.10.12 - /usr/local/bin/docker
Browsers:
Chrome: 99.0.4844.51
Firefox: 90.0.2
Safari: 15.4
npmGlobalPackages:
verdaccio: 6.0.0-6-next.37
Debugging output
$ NODE_DEBUG=request verdaccio
display request calls (verdaccio <–> uplinks)$ DEBUG=verdaccio* verdaccio
enable extreme verdaccio debug mode (verdaccio api)$ npm -ddd
prints:$ npm config get registry
prints:
Contribute to Verdaccio
- I’m willing to fix this bug 🥇
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (3 by maintainers)
Top GitHub Comments
OK I think I solved it in my case:
To get the packument I used
npx pacote packument @ogi-it/ims --registry=http://localhost:4873 --long
I was able to find where in npm the error is thrown: https://github.com/npm/metavuln-calculator/blob/e6f738c73391945c5d979dc1b7c59b1af671a7fe/lib/advisory.js#L89
Since I remembered that long ago there were issues with capital letters and package names, I did
npx pacote packument @ogi-it/ims --registry=http://localhost:4873 --long |egrep 'name|version'
and was able to see that before version 1.22.2 IMS was written in capital letters after this version in lower case.Via
find . -name '*.tgz' -type f -print0 | xargs -0 ls -tr >ogialltars
in the storage directory, I was also able to see the problem:In my case I decided to “remove” the old packages with capital letters, by renaming the storage directory, restarting verdaccio, and importing via
npm publish
only the tarballs after the affected version.After this npm install succeeded.
I’m not sure if there is anything to do on the verdaccio side. The case thing actually happened years ago, and it was no problem up until now when I changed to node@17.
Yes