I have an NPM project set up for using a self-hosted NPM registry in Nexus. I need to access that repository via HTTP (I cannot change this), but no matter what I do, the resolved URL is always the HTTPS version of the registry.
I have this minimal project:
.
├── .npmrc
└── package.json
The package.json is really simple, too:
{
"name": "npm-test",
"version": "1.0.0",
"description": "",
"devDependencies": {
"ts-node": "^10.9.2"
}
}
The .npmrc just contains the registry information:
registry=http://my.repository.com/repository/npm-group/
I have also npm configuration at user level in ~/.npmrc:
//my.repository.com/repository/npm-group/:_authToken=NpmToken.xxx
[email protected]
always-auth=true
//my.repository.com/repository/npm-private/:_authToken=NpmToken.xxx
If I'm in my project's directory and do npm config ls -l I get the following:
; "default" config from default values
_auth = (protected)
access = null
all = false
allow-same-version = false
also = null
audit = true
audit-level = null
auth-type = "legacy"
before = null
bin-links = true
browser = null
ca = null
cache = "/xxx/.npm"
cache-max = null
cache-min = 0
cafile = null
call = ""
cert = null
ci-name = null
cidr = null
color = true
commit-hooks = true
depth = null
description = true
dev = false
diff = []
diff-dst-prefix = "b/"
diff-ignore-all-space = false
diff-name-only = false
diff-no-prefix = false
diff-src-prefix = "a/"
diff-text = false
diff-unified = 3
dry-run = false
editor = "/usr/bin/nano"
engine-strict = false
fetch-retries = 2
fetch-retry-factor = 10
fetch-retry-maxtimeout = 60000
fetch-retry-mintimeout = 10000
fetch-timeout = 300000
force = false
foreground-scripts = false
format-package-lock = true
fund = true
git = "git"
git-tag-version = true
global = false
global-style = false
globalconfig = "/xxx/.nvm/versions/node/v18.12.0/etc/npmrc"
heading = "npm"
https-proxy = null
if-present = false
ignore-scripts = false
include = []
include-staged = false
include-workspace-root = false
init-author-email = ""
init-author-name = ""
init-author-url = ""
init-license = "ISC"
init-module = "/xxx/.npm-init.js"
init-version = "1.0.0"
init.author.email = ""
init.author.name = ""
init.author.url = ""
init.license = "ISC"
init.module = "/xxx/.npm-init.js"
init.version = "1.0.0"
install-links = false
json = false
key = null
legacy-bundling = false
legacy-peer-deps = false
link = false
local-address = null
location = "user"
lockfile-version = null
loglevel = "notice"
logs-dir = null
logs-max = 10
; long = false ; overridden by cli
maxsockets = 15
message = "%s"
metrics-registry = "http://my.repository.com/repository/npm-group/"
node-options = null
node-version = "v18.12.0"
noproxy = [""]
npm-version = "8.19.2"
offline = false
omit = []
omit-lockfile-registry-resolved = false
only = null
optional = null
otp = null
pack-destination = "."
package = []
package-lock = true
package-lock-only = false
parseable = false
prefer-offline = false
prefer-online = false
prefix = "/xxx/.nvm/versions/node/v18.12.0"
preid = ""
production = null
progress = true
proxy = null
read-only = false
rebuild-bundle = true
; registry = "https://registry.npmjs.org/" ; overridden by project
replace-registry-host = "npmjs"
save = true
save-bundle = false
save-dev = false
save-exact = false
save-optional = false
save-peer = false
save-prefix = "^"
save-prod = false
scope = ""
script-shell = null
searchexclude = ""
searchlimit = 20
searchopts = ""
searchstaleness = 900
shell = "/bin/zsh"
shrinkwrap = true
sign-git-commit = false
sign-git-tag = false
sso-poll-frequency = 500
sso-type = "oauth"
strict-peer-deps = false
strict-ssl = true
tag = "latest"
tag-version-prefix = "v"
timing = false
tmp = "/tmp"
umask = 0
unicode = true
update-notifier = true
usage = false
user-agent = "npm/{npm-version} node/{node-version} {platform} {arch} workspaces/{workspaces} {ci}"
userconfig = "/xxx/.npmrc"
version = false
versions = false
viewer = "man"
which = null
workspace = []
workspaces = null
workspaces-update = true
yes = null
; "user" config from /xxx/.npmrc
//my.repository.com/repository/npm-group/:_authToken = (protected)
//my.repository.com/repository/npm-private/:_authToken = (protected)
always-auth = true
email = "[email protected]"
; "project" config from /xxx/npm-test/.npmrc
registry = "http://my.repository.com/repository/npm-group/"
; "cli" config from command line options
long = true
If I'm correct, there are no references to HTTPS version of the registry. But if I run npm -ddd install, I see the HTTPS version is used:
npm -ddd install
npm verb cli /xxx/.nvm/versions/node/v18.12.0/bin/node /xxx/.nvm/versions/node/v18.12.0/bin/npm
npm info using [email protected]
npm info using [email protected]
npm timing npm:load:whichnode Completed in 0ms
npm timing config:load:defaults Completed in 1ms
npm timing config:load:file:/xxx/.nvm/versions/node/v18.12.0/lib/node_modules/npm/npmrc Completed in 0ms
npm timing config:load:builtin Completed in 0ms
npm timing config:load:cli Completed in 1ms
npm timing config:load:env Completed in 1ms
npm timing config:load:file:/xxx/Documentos/Workspace/npm-test/.npmrc Completed in 1ms
npm timing config:load:project Completed in 6ms
npm timing config:load:file:/xxx/.npmrc Completed in 0ms
npm timing config:load:user Completed in 0ms
npm timing config:load:file:/xxx/.nvm/versions/node/v18.12.0/etc/npmrc Completed in 1ms
npm timing config:load:global Completed in 1ms
npm timing config:load:validate Completed in 0ms
npm timing config:load:credentials Completed in 1ms
npm timing config:load:setEnvs Completed in 0ms
npm timing config:load Completed in 12ms
npm timing npm:load:configload Completed in 12ms
npm timing npm:load:mkdirpcache Completed in 1ms
npm timing npm:load:mkdirplogs Completed in 0ms
npm verb title npm install
npm verb argv "--loglevel" "silly" "install"
npm timing npm:load:setTitle Completed in 1ms
npm timing config:load:flatten Completed in 2ms
npm timing npm:load:display Completed in 4ms
npm verb logfile logs-max:10 dir:/xxx/.npm/_logs
npm verb logfile /xxx/.npm/_logs/2024-02-28T07_53_30_217Z-debug-0.log
npm timing npm:load:logFile Completed in 5ms
npm timing npm:load:timers Completed in 0ms
npm timing npm:load:configScope Completed in 0ms
npm timing npm:load Completed in 23ms
npm timing arborist:ctor Completed in 1ms
npm sill logfile start cleaning logs, removing 1 files
npm timing arborist:ctor Completed in 1ms
npm sill logfile done cleaning log files
npm timing idealTree:init Completed in 12ms
npm timing idealTree:userRequests Completed in 0ms
npm sill idealTree buildDeps
npm sill fetch manifest ts-node@^10.9.2
npm http fetch GET 200 https://my.repository.com/repository/npm-group/ts-node 812ms (cache miss)
npm sill fetch manifest @swc/core@>=1.2.50
npm http fetch GET 200 https://my.repository.com/repository/npm-group/@swc%2fcore 865ms (cache miss)
npm sill fetch manifest @swc/helpers@^0.5.0
npm http fetch GET 200 https://my.repository.com/repository/npm-group/@swc%2fhelpers 315ms (cache miss)
npm sill fetch manifest @swc/wasm@>=1.2.50
npm http fetch GET 200 https://my.repository.com/repository/npm-group/@swc%2fwasm 312ms (cache miss)
npm sill fetch manifest @types/node@*
npm http fetch GET 200 https://my.repository.com/repository/npm-group/@types%2fnode 1114ms (cache miss)
npm sill fetch manifest typescript@>=2.7
npm http fetch GET 200 https://my.repository.com/repository/npm-group/typescript 2213ms (cache miss)
...
And in package-lock.json:
{
"name": "npm-test",
"version": "1.0.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "npm-test",
"version": "1.0.0",
"devDependencies": {
"ts-node": "^10.9.2"
}
},
"node_modules/@cspotcode/source-map-support": {
"version": "0.8.1",
"resolved": "https://my.repository.com/repository/npm-group/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz",
"integrity": "sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==",
"dev": true,
"license": "MIT",
"dependencies": {
"@jridgewell/trace-mapping": "0.3.9"
},
"engines": {
"node": ">=12"
}
},
...
The resolved value is also the HTTPS version of my registry for all packages.
Am I missing something? I tried removing node_modules and package-lock.json, running npm cache clean --force and then installing again, but the same happens.
I also tried setting strict-ssl to false in .npmrc but, again, no changes.
Am I missing something?
Thank you very much.
As @j-cake and @json-derulo pointed out, there was a redirection at the server from HTTP to HTTPS.