GithubHelp home page GithubHelp logo

larsw / npm-leech Goto Github PK

View Code? Open in Web Editor NEW
1.0 3.0 6.0 229 KB

Small utility to leech all direct and transitive npm packages for a given package.json or package-lock.json file.

License: MIT License

JavaScript 100.00%
npm offline onpremises mirror artifactory

npm-leech's Introduction

npm-leech

Small utility to leech all direct and transitive npm packages for a given package.json or package-lock.json file.

Ideal for mirroring a given set of packages to a private repository like JFrog Artifactory or NPM Registry.

    usage
      $ npm-leech [-i package.json|package-lock.json] [-o foo.tar] [-a] [-c] [-d] [-D] 

    options
      --artifactory, -a      Store scoped packages in a layout used by Artifactory
      --input, -i            source package.json or package-lock.json (default: ./package-lock.json)
      --output, -o           target tarballs tar (default: ./npm-tarballs.tar)
      --concurrency, -c      number of concurrent retrieval tasks for meta/pkg (default: 4)
      --dev, -d              leech devDependencies in source. (default: false)
      --transitive-dev, -D   CAUTION! leech all transitive devDependencies. (default: false)
      --registry, -r         NPM registry. (default: http://registry.npmjs.org/)
      --verbose, -v          Verbose output. (default: false)
      --progress, -p         Progress bar. Should not be used with -v (default: true)

    examples
      $ npm-leech -i ../../package.json -o foo.tar -c 8 -d

License

MIT - @larsw

npm-leech's People

Contributors

dependabot[bot] avatar gennon avatar larsw avatar roarbr avatar

Stargazers

avatar

Watchers

avatar avatar avatar

Forkers

mikaelbr gennon fredrick-tam pombredanne roarbr

npm-leech's Issues

Option to store scoped packages in Artifactory layout

Hi,
In he npmjs.org registry scoped packages has a tarball path like this:

# npm info '@types/qs@latest' --json dist.tarball
"https://registry.npmjs.org/@types/qs/-/qs-6.9.6.tgz"

I.e. "@scope/packagename/-/packagename-version.tgz"
When downloaded by npm-leech, the file structure in the tar file is:

# tar tvf npm-tarballs.tar 
-rw-r--r-- 0/0            2405 2021-05-05 18:23 @types/qs-6.9.6.tgz

When this tar-file is imported to Artifactory using the web-interface, this layout from the tar file is kept in Artifactory. This is not the "correct" path inside Artifactory, it uses a path like this for scoped packages:

@scope/packagename/~/@scope/packagename-version.tgz

When importing the tar file from npm-leech into Artifactory, the incorrect layout will cause issues with scoped packages that also exist without a scope with the same name and version. Like "@types/qs" and "qs". It will cause checksum error when trying to install (npm install) a package like this using Artifactory as a registry. See this bug for more info:
https://www.jfrog.com/jira/browse/RTFACT-7668

Several issues like this is reported for Artifactory, but no response from the developer that I could see.

Pushing the packages to Artifactory using "npm publish" will go through the Artifactory API and store the file with the layout expected by Artifactory.

But I hoped this could be fixed in npm-leech by adding a option to store in Artifactory layout inside the tar file. This way the bulk import of the tar file from Artifactory web interface would work out of the box.

CI/CD

  • GitHub actions build/test/publish to NPM

npm-leech do not download dependencies with tilde (~) and caret (^) in versions

Hi,
While using npm-leech to download a package with a lot of dependencies, some dependencies failed to download with an error message like this:

pkg-err { Error: Request failed with status code 405
    at createError (/usr/lib/node_modules/npm-leech/node_modules/axios/lib/core/createError.js:16:15)
    at settle (/usr/lib/node_modules/npm-leech/node_modules/axios/lib/core/settle.js:17:12)
    at IncomingMessage.handleStreamEnd (/usr/lib/node_modules/npm-leech/node_modules/axios/lib/adapters/http.js:236:11)
    at emitNone (events.js:91:20)
    at IncomingMessage.emit (events.js:185:7)
    at endReadableNT (_stream_readable.js:978:12)
    at _combinedTickCallback (internal/process/next_tick.js:80:11)
    at process._tickCallback (internal/process/next_tick.js:104:9)
  config: 
   { url: 'http://registry.npmjs.org/accepts/~1.3.7',
...
     _header: 'GET /accepts/~1.3.7 HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nUser-Agent: axios/0.19.2\r\nHost: registry.npmjs.org\r\nConnection: close\r\n\r\n',
...
        responseUrl: 'http://registry.npmjs.org/accepts/~1.3.7',
        redirects: [],
        read: [Function] } },
  response: 
   { status: 405,
     statusText: 'Method Not Allowed',

The package.json used with npm-leech version 1.2.1:

  "name": "foo",
  "version:": "1.0.0",
  "dependencies": {
    "express": "latest"
  }
}

The package 'express' dependencies, only showing the two first:

npm show express --json dependencies
{
  "accepts": "~1.3.7",
  "array-flatten": "1.1.1",

The dependency 'array-flatten' has a "normal" semver and is downloaded without problems.
But the dependency 'accepts' has a tihlde in the semver. This causes npm-leech to download this version without resolving the tihlde to a "normal" semver first. But the registry does not understand "GET http://registry.npmjs.org/accepts/~1.3.7".

Using wireshark, this is the TCP stream when downloading the package 'accepts':

GET /accepts/~1.3.7 HTTP/1.1
Accept: application/json, text/plain, */*
User-Agent: axios/0.19.2
Host: registry.npmjs.org
Connection: close

HTTP/1.1 405 Method Not Allowed
Date: Wed, 05 May 2021 15:47:03 GMT
Content-Type: application/json
Content-Length: 63
Connection: close
Set-Cookie: __cfduid=db421dde183435235cd4cb62992f582121620229622; expires=Fri, 04-Jun-21 15:47:02 GMT; path=/; domain=.npmjs.org; HttpOnly; SameSite=Lax
CF-Ray: 64ab1ae7687ffac0-OSL
Allow: PUT
CF-Cache-Status: DYNAMIC
cf-request-id: 09decf24a30000fac0cd049000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare

{"code":"MethodNotAllowedError","message":"GET is not allowed"}

So, shouldn't npm-leech resolve tihlde and caret semvers into normal semvers before downloading packages?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.