SENSITIVE DATA HAS BEEN REMOVED FROM THIS TICKET ACCORDING TO JFROG'S INTERNAL POLICY.
If the cached metadata of a package is not valid json, the metadata will never update, even with Metadata Retrieval Cache Period set to 0 or zapping the cache. You must delete the cached version for the correct file to be pulled from upstream.
We can see in the general tab that the checksum uploaded does not match the actual:
Uploaded checksum doesn't match the actual checksum. Please redeploy the artifact with a correct checksum.If you trust the uploaded artifact you can accept the actual checksum by clicking the 'Fix Checksum' button.
Trying to pull the package from instance A with the npm client will fail with a 404 not found, and will show the following in the logs of instance A:
Error while parsing the response of a remote npm JSON query on 'RESTRICTED_URL': Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
If a remote repo detects that the cached package's actual checksum does not match the uploaded checksum, it should always pull from the upstream.
Steps to reproduce:
-Have two instances A and B
-set up a npm remote repo on instance A (with Metadata Retrieval Cache Period set to ) to proxy a npm ocal repo on instance B
-have instance A cache package and metadadta from instance B
-in the file store, "corrupt" the package.json for the package by replacing the contents of the sha1 file with html
-try to resolve the package from instance A with the npm client, see it 404s. If you try to view the metadata at api/npm/<npmrepo>/<packageName>, it will say could not parse metadata.
-The metadata will not update from the upstream until you delete it from the cache.