Current Behavior
allow-remote=none (shipped in #9287) blocks every install, including ones whose entire dep tree is name@version from the registry. The config description says it's meant to block "dependencies that point to a tarball url instead of a version or
semver range," but in practice it also blocks the registry's own tarball URLs.
Repro:
mkdir /tmp/repro && cd /tmp/repro
echo '{"name":"repro","version":"1.0.0","dependencies":{"abbrev":"^3.0.0"}}' > package.json
npm install --allow-remote=none
# npm error code EALLOWREMOTE
# npm error Fetching packages of type "remote" have been disabledabbrev resolves fine through pacote.manifest (spec.type is range, gated by allowRegistry). The failure is later at reify, where res for pacote.extract is built from node.resolved:
// arborist/lib/arborist/reify.js ~670
const registryResolved = this.#registryResolved(node.resolved)
if (registryResolved) {
res = `${node.name}@${registryResolved}` // ← this is name@URL
}registryResolved returns the registry tarball URL, so res ends up as abbrev@https://registry.npmjs.org/abbrev/-/abbrev-3.0.1.tgz. npa parses that as type=remote and pacote's gate fires. Stack confirms:
EALLOWREMOTE spec=abbrev@https://registry.npmjs.org/abbrev/-/abbrev-3.0.1.tgz
at FetcherBase.get (pacote/lib/fetcher.js:500)
at pacote.extract (pacote/lib/index.js:19)
at #extractOrLink (arborist/lib/arborist/reify.js:703)
Arborist already knows this is a registry URL because the registryResolved branch was taken three lines earlier. It just doesn't tell pacote. I think the fix is to set allowRemote: 'all' for that one call when the resolved URL is registry-origin
— guarded by a host match against this.registry so a tampered node.resolved pointing somewhere else still hits the gate.
Found this while validating fixes for two other bugs in the same shipped feature (allow-directory not enforcing on the default symlink path, and allow-X=root not actually blocking transitives). Those are tracked separately.
Current Behavior
allow-remote=none(shipped in #9287) blocks every install, including ones whose entire dep tree isname@versionfrom the registry. The config description says it's meant to block "dependencies that point to a tarball url instead of a version orsemver range," but in practice it also blocks the registry's own tarball URLs.
Repro:
abbrev resolves fine through
pacote.manifest(spec.type isrange, gated byallowRegistry). The failure is later at reify, whereresforpacote.extractis built fromnode.resolved:registryResolvedreturns the registry tarball URL, soresends up asabbrev@https://registry.npmjs.org/abbrev/-/abbrev-3.0.1.tgz. npa parses that astype=remoteand pacote's gate fires. Stack confirms:Arborist already knows this is a registry URL because the
registryResolvedbranch was taken three lines earlier. It just doesn't tell pacote. I think the fix is to setallowRemote: 'all'for that one call when the resolved URL is registry-origin— guarded by a host match against
this.registryso a tamperednode.resolvedpointing somewhere else still hits the gate.Found this while validating fixes for two other bugs in the same shipped feature (
allow-directorynot enforcing on the default symlink path, andallow-X=rootnot actually blocking transitives). Those are tracked separately.