Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
"publish --force" and "unpublish VERSION" seem to be broken
See original GitHub issueDescribe the bug
I tried to look at #1359 and #1405 but couldn’t find a solution.
I’m using ~~https://github.com/Remitly/verdaccio-s3-storage~~ https://registry.verdaccio.org/-/web/detail/verdaccio-aws-s3-storage as a storage plugin, but you can comment the whole storage key in configuration and it will be the same (except for one thing that is pointed out below).
npm publish --force
If I try to overwrite an existing package version with a new one:
npm publish --force --registry MY_REPO
The result is:
- old package is removed from the remote storage and the web UI doesn’t show it
- the
npmcommand fails with:
npm ERR! code EPUBLISHCONFLICT
npm ERR! publish fail Cannot publish over existing version.
npm ERR! publish fail Update the 'version' field in package.json and try again.
npm ERR! publish fail
npm ERR! publish fail To automatically increment version numbers, see:
npm ERR! publish fail npm help version
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/marco/.npm/_logs/2019-08-10T13_46_04_312Z-debug.log
- running the same exact command again publishes successfully
npm unpublish --force SPECIFIC_VERSION
If I try to unpublish the package first to avoid errors:
npm unpublish "@test/my-pack@1.0.0-beta" --force --registry MY_REPO
The result is:
npmexits with no errors and says that the package has been removed- the package still shows up on the AWS S3 storage and on the web UI
- trying to publish the same package from now on will result in failures (this doesn’t happen when using local storage: publishing again works as with the command above)
The only way I found to recover from this situation was:
- removing the
.tgzarchive manually from the storage - restart the verdaccio server
These commands don’t work as expected.
To Reproduce
I’m using the following Dockerfile to speed up testing:
FROM verdaccio/verdaccio:latest
USER root
ENV NODE_ENV=production
# Install "envsubst" to replace ENV_VARS in config
RUN apk add gettext libintl
# Install AWS S3 Plugin
RUN yarn add verdaccio-aws-s3-storage --production=true --no-lockfile --registry https://registry.verdaccio.org
# Copy configuration and .htpasswd
COPY ./config.yml $VERDACCIO_APPDIR/conf/config.yaml
# Fix permissions
RUN chown -R $VERDACCIO_USER_UID:root $VERDACCIO_APPDIR/conf/config.yaml \
&& chmod -R g=u $VERDACCIO_APPDIR/conf/config.yaml
USER $VERDACCIO_USER_UID
# Set user credentials, replace ENV_VARS in config and finally run Verdaccio
CMD echo "$HTPASSWD" > /verdaccio/storage/htpasswd \
&& envsubst \$AWS_S3_BUCKET,\$AWS_S3_PATH_PREFIX,\$AWS_DEFAULT_REGION,\$AWS_S3_ENDPOINT,\$AWS_S3_PATH_STYLE,\$AWS_ACCESS_KEY_ID,\$AWS_SECRET_ACCESS_KEY < $VERDACCIO_APPDIR/conf/config.yaml > $VERDACCIO_APPDIR/conf/config.yaml \
&& $VERDACCIO_APPDIR/bin/verdaccio --config $VERDACCIO_APPDIR/conf/config.yaml --listen $VERDACCIO_PROTOCOL://0.0.0.0:$VERDACCIO_PORT
This docker-compose.yml should run your registry:
version: '2.1'
services:
verdaccio:
image: testing/private-verdaccio-s3:latest
environment:
AWS_S3_BUCKET:
AWS_S3_PATH_PREFIX:
AWS_ACCESS_KEY_ID:
AWS_SECRET_ACCESS_KEY:
AWS_DEFAULT_REGION:
AWS_S3_ENDPOINT:
AWS_S3_PATH_STYLE: "true"
# User is demo:demo
HTPASSWD: |
demo:$apr1$uq2Uw53i$dS7GoGvNuupumWvXjOJ.R1
ports:
- "4874:4873"
Configuration file config.yml:
#
# This is the config file used for the docker images.
# It allows all users to do anything, so don't use it on production systems.
#
# Do not configure host and port under `listen` in this file
# as it will be ignored when using docker.
# see https://verdaccio.org/docs/en/docker#docker-and-custom-port-configuration
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#
# path to a directory with all packages
storage: /verdaccio/storage/data
# comment this section entirely to disable AWS S3
store:
aws-s3-storage:
bucket: $AWS_S3_BUCKET
keyPrefix: $AWS_S3_PATH_PREFIX
region: $AWS_DEFAULT_REGION
endpoint: $AWS_S3_ENDPOINT
s3ForcePathStyle: $AWS_S3_PATH_STYLE
accessKeyId: $AWS_ACCESS_KEY_ID
secretAccessKey: $AWS_SECRET_ACCESS_KEY
web:
title: Verdaccio
auth:
htpasswd:
file: /verdaccio/storage/htpasswd
max_users: -1
security:
api:
jwt:
sign:
expiresIn: 60d
notBefore: 1
web:
sign:
expiresIn: 7d
notBefore: 1
# a list of other known repositories we can talk to
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'**':
access: $all
publish: $all
unpublish: $all
# if package is not available locally, proxy requests to 'npmjs' registry
proxy: npmjs
middlewares:
audit:
enabled: true
# log settings
logs:
- { type: stdout, format: pretty, level: http }
listen:
- 0.0.0.0:4873
Put these 3 files in a folder called verdaccio-test, then build and run everything:
cd /path/to/verdaccio-test
docker build -t testing/private-verdaccio-s3:latest .
docker-compose up -d
# Attach to logs
docker logs -f verdaccio-test_verdaccio_1
# use http://127.0.0.1:4874
Expected behavior
Packages should be deleted correctly.
Conclusion
I hope that everything is clear enough, please feel free to ask for further information.
Thank you for your time.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:31 (15 by maintainers)
Top Results From Across the Web
npm Unpublish Policy
If all the versions of a package can be unpublished, you can unpublish all versions at once by running npm unpublish <package_name> --force...
Read more >Is there a workaround for `npm publish -f` - Stack Overflow
Once a package is unpublished, it cannot be republished. If you've unpublished a package by mistake, we'd recommend publishing again under a different...
Read more >Publishing packages | Dart
Learn how to publish a Dart package to pub.dev. ... To avoid that, the pub.dev policy disallows unpublishing packages except for very few...
Read more >cases in edit/releases tab on project nodes: default release broken ...
I created a new 5.x-2.0 release for user points. I unpublished the old 5.x-1.x release, since I want the 2.x API to be...
Read more >Work with Image Content in Salesforce CMS
Publish a new version of an image, and all content that references it is ... for image references when you publish, unpublish, draft,...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Here’s the breakdown for all bugs mentioned in the issue.
TLDR: jump to the last paragraph.
Bug 1 -
npm unpublish -ffailed with error, but package is actually removed by verdaccio.Fact 2 -
npm unpublish [-f] pkg@versionwork as expect after patching PR https://github.com/verdaccio/monorepo/pull/289Bug 3 -
npm publish -f(republish) failed with error, but the package@version file is removed by verdaccio (npm publish -f==npm unpublish -f). Thus run the publish command again will succeed, because verdaccio thinks you’re publishing a new version.publish -f, the server returns a 403 (permission error)publish -f, the server returns 409 (conflict error)-f, fetches package info, the server returns 200-f.publish -f pkg@version==unpubish pkg@version)Based on the analysis
npm unpublish -fbug for s3 storage.publish -fbug is not fixable by verdaccio. I suggest you runnpm unpublish pkg@version, thennpm publishto simulate thenpm publish -f.@liarco I have verified the issue only appears in S3, and fixed in https://github.com/verdaccio/monorepo/pull/289, see the PR description for details.