Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-7668

npm/api request returning incorrect object/blob


    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 3.5.3
    • Fix Version/s: None
    • Component/s: NPM
    • Labels:
    • Environment:

      running inside tomcat


      We sometimes publish two npm packages with the same name, one into a scope and one into the main namespace. Requests to the api then return correct metadata, but requests for the non-scoped object return the wrong binary. We were able to reproduce this as follows:

      1. publish a regular npm package, such as foo-thing@1.2.3
      2. publish a scoped npm package with the same name/version, such as @components/foo-thing@1.2.3 (this should be a different tarball with a different checksum)
      3. request metadata for the non-scoped package, via http://hostname/artifactory/api/npm/npm-repo/foo-thing – note the shasum value in the "dist" section for version 1.2.3
      4. follow the "tarball" link in the "dist" section to download the tarball for the non-scoped package
      5. compare the shasum of the retrieved tarball to the shasum listed in the metadata from step 3

      Expected: downloaded tarball will match shasum from metadata and contain the non-scoped package

      Actual: tarball shasum does not match, and tarball contains the scoped package


          Issue Links



              • Assignee:
                darcher Darius Archer
              • Votes:
                1 Vote for this issue
                2 Start watching this issue


                • Created: