fix(npm): registry inferring should include the full registry path #7030
Conversation
yeikel
force-pushed
the
issue/6804
branch
3 times, most recently
from
2543a29
to
f3cab6c
Compare
| @@ -1787,7 +1787,37 @@ | |||
| expect(file_fetcher_instance.files.map(&:name)). | |||
| to eq(%w(package.json package-lock.json .npmrc)) | |||
| expect(file_fetcher_instance.files.find { |f| f.name == ".npmrc" }.content). | |||
| to eq("registry=https://npm.fury.io") | |||
| to eq("registry=https://npm.fury.io/dependabot/") | |||
There was a problem hiding this comment.
I believe that this test was incorrect
There was a problem hiding this comment.
I created a test org to double check this
Trying to pull any dependency from https://npm.fury.io/ would fail in this scenario
There was a problem hiding this comment.
Thanks for trying this in real life! 💪
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
yeikel
force-pushed
the
issue/6804
branch
2 times, most recently
from
a419b9d
to
a28f712
Compare
yeikel
force-pushed
the
issue/6804
branch
5 times, most recently
from
c0ebbc0
to
807e2cd
Compare
| @@ -1787,7 +1787,37 @@ | |||
| expect(file_fetcher_instance.files.map(&:name)). | |||
| to eq(%w(package.json package-lock.json .npmrc)) | |||
| expect(file_fetcher_instance.files.find { |f| f.name == ".npmrc" }.content). | |||
| to eq("registry=https://npm.fury.io") | |||
| to eq("registry=https://npm.fury.io/dependabot/") | |||
There was a problem hiding this comment.
Thanks for trying this in real life! 💪
npm_and_yarn/spec/fixtures/projects/npm6/private_artifactory_repository/package-lock.json
Outdated
Show resolved
Hide resolved
deivid-rodriguez
added
T: bug 🐞
I do not know what's best in Ruby as I am new to the language, but in the JVM and other languages like C#, this try/catch/recover pattern is not great as it is quite slow to unwind the stack. I expect a similar impact in Ruby but I do not know if it is a good practice or not In the current code, we are running this logic for every single dependency declared and that can take a lot of time for a project with many dependencies(that is very common in the NPM world to begin with) |
yeikel
force-pushed
the
issue/6804
branch
5 times, most recently
from
4f85459
to
b845856
Compare
|
I think it's fine in CRuby. But more importantly, I think it's best to focus on the bug fix rather than mixing in performance related patches. If the problem you mention is an issue, we could handle it separately. Let me suggest this alternative patch that keeps the existing approach of parsing registries into well structured URIs: diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb
index 4ef88467c..10f75aa33 100644
--- a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb
+++ b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb
@@ -90,7 +90,7 @@ module Dependabot
return @inferred_npmrc = nil unless npmrc.nil? && package_lock
known_registries = []
- JSON.parse(package_lock.content).fetch("dependencies", {}).each do |_name, details|
+ JSON.parse(package_lock.content).fetch("dependencies", {}).each do |dependency_name, details|
resolved = details.fetch("resolved", "https://registry.npmjs.org")
begin
uri = URI.parse(resolved)
@@ -99,8 +99,24 @@ module Dependabot
# This can happen if resolved is false, for instance.
next
end
+
+ next unless uri.scheme && uri.host
+
# Check for scheme since path dependencies will not have one
- known_registries << "#{uri.scheme}://#{uri.host}" if uri.scheme && uri.host
+ known_registry = "#{uri.scheme}://#{uri.host}"
+
+ path = uri.path
+ if path
+ index = path.index(dependency_name)
+
+ if index
+ registry_base_path = path[0...index].delete_suffix("/")
+
+ known_registry << registry_base_path
+ end
+ end
+
+ known_registries << known_registry
end
if known_registries.uniq.length == 1 && known_registries.first != "https://registry.npmjs.org"Using this approach is how I discovered yesterday that the test lockfile was incorrect, because the tests you added do not pass with this patch due to the dependency name vs registry url discrepancy. |
yeikel
force-pushed
the
issue/6804
branch
2 times, most recently
from
44fd598
to
8a0b1ac
Compare
yeikel
force-pushed
the
issue/6804
branch
2 times, most recently
from
3ab1058
to
9e2ad35
Compare
yeikel
force-pushed
the
issue/6804
branch
5 times, most recently
from
1754f2c
to
74164ec
Compare
|
@deivid-rodriguez Let me know if you have any additional feedback :) Thanks again |
|
@jeffwidman I would appreciate your input here as well |
|
Sorry for the delay @yeikel, this looks good to me, but I'd like to extract the malformed URI handling changes/discussion to a separate PR/issue if that's ok. |
yeikel
force-pushed
the
issue/6804
branch
3 times, most recently
from
33747af
to
62d85c8
Compare
|
@yeikel This looks ready from my side and I'm pretty confident about it since you have taken the time to actually try this on a real registry, but I'm not super familiar with how private registries are setup in general, so let me ask for a second review here from another teammate just in case. Thanks! |
Co-authored-by: David Rodríguez <deivid.rodriguez@riseup.net>
Follow up for the following discussion dependabot#7030 (comment)
Follow up for the following discussion dependabot#7030 (comment)
Fixes #6804