chore: update broken package-lock resolves #886
Conversation
aabmass
requested review from
draffensperger,
hekike and
mayurkale22
as code owners
There was a problem hiding this comment.
Thanks for looking into this. Are we pulling from any mirrors other than registry.npmjs.org elsewhere in our lockfiles? I'm curious if the addition of netflix as a mirror was intentional, was reviewed in the appropriate way, and if we have safeguards to prevent accidental or malicious introduction of mirrors in future.
@punya not anymore: $ pcregrep -h -o1 '\"resolved\": \"https:\/\/(.+?)\/' `git ls-files **/package-lock.json` | sort | uniq
registry.npmjs.org
This change was introduced ~2 years ago in #564. The author of the PR works at netflix and judging by this npm package, netflix devs probably are/were using a custom registry, either with Also want to point out that package-lock.json files are not distributed on npm when publishing so mirrors can't be maliciously introduced to users (could effect local builds of OC though) @jsuerth I tried just deleting the package locks first and regenerating but this upgraded a bunch of dependencies and broke the build as well :( so I took the route of replacing the mirror URLs instead. The changes to other lockfiles is npm upgrading the to lockfile version 2 since I am using npm v7. |
Some package-lock.json files had were using an npm mirror from netflix that is no longer working. For example https://artifacts.netflix.com/api/npm/npm-netflix/@babel/code-frame/-/code-frame-7.0.0.tgz is broken and it should use registry.npmjs.org. So I ran:
and then was able to run
npm installnormally and everything completed alright.