Module "got" allows usage of http tunneling to work behind a proxy.
package-json doesn't seem to handle given htttp/https proxies (either within npm config or env)
and is not working behind a proxy (RequestError: connect ETIMEDOUT)

import _packageJson, {
	Options,
	AbbreviatedVersion,
	AbbreviatedMetadata,
	FullMetadataOptions,
	FullMetadata,
} from 'package-json';

_packageJson('typescript', {
	version: '^4.0.0-dev.20200615',
}).then((json) => {
	console.dir(json)
})

console.dir(new Range('^4.0.0-dev.20200615'), {
	depth: null,
})

should return 4.1.0-dev.20200811 but get 4.0.0-dev.20200803

semver range ^4.0.0-dev.20200615 same as >=4.0.0-dev.20200615 <5.0.0-0

Code written inside main.yml works for testing purposes so it should be named test.yml. It will help someone new to check it.

by using isomorphic-fetch or whatever equivalent (or making "got" isomorphic), we could make this module isomorphic, which would be nice for web apps wanting to check their version!

Set up

# custom registry for specific scope
# notice example.com doesn't end in a slash!
$ npm config set @dylang:registry http://example.com

// scoped package that matches custom registry
packageJson('@dylan/scoped-test').then(...)

Error

Registry error Basic authentication must be done with auth option

What's happening

index.js #L9-10:

var url = registryUrl(scope) +
        encodeURIComponent(name).replace(/^%40/, '@');

This results in the url:

http://example.com@dylang/%2Fscoped-test

Solutions

• Use node's url to generate the url, just to be safe.
• Change registry-url to append a / if it's not there.
• Tell everyone to end their custom registry setting with a /. 😄

This is an absolutely wonderful and truly useful project, thank you. 😊

It is also an absolutely useless project for anyone using an enterprise repository 😦. The problem is that package-json uses registry-url, which you might as well replace that library with the hard coded value https://registry.npmjs.org/.

I know registry-url can be "configured", but their suggested method really isn't practical for large enterprise use.

Would you accept a PR which uses npm-conf instead? It would address a number of issues (including #35) and enhance this project's wonderfulness!

(trying not to waste time putting together a PR that will be ignored)

Note: We are using JFrog, so all traffic is proxied through our private repo.

#43 was closed as a dupe of #22. And in #22 you said:

Not interested in adding extra stuff for proxy support here. Builtin proxy support is planned for got and you could help out with that instead.

However on Sept 4th, 2018 you then closed sindresorhus/got#79 saying:

It's just too complicated and would bloat Got.

You passed the issue upstream initially but now have passed it back downstream to yourself here. So, any chance of supporting HTTP_PROXY / HTTPS_PROXY?

It would be very useful :D

I think it has the same output as calling packageJson without specifying a version?

To reproduce

const metadata: AbbreviatedMetadata = await packageJson('react')
metadata.versions // actually undefined, but has type Readonly<Record<string, AbbreviatedVersion>>
metadata.version // actually a string, but has type unknown

It seems strange that the types are broken out-of-the-box. Am I doing something wrong here?

I have a .npmrc file that looks like this:

always-auth=true
registry=https://npm.tn-dev.com/

If I try get the get the package info e.g. of mysql it fails to find the corresponding token. The problem seems to be that it is looking for mysql:_authToken instead of //npm.tn-dev.com/:_authToken in the npmrc

the following change to the code solves the problem for me, but I'm not sure if this is really bug/problem of the library or if it is a problem with my setup:

var token = npmrc[scope + ':_authToken'] || npmrc['//registry.npmjs.org/:_authToken'] || npmrc[registryUrl(scope).replace(/^https:/,'')+':_authToken'];

A fix for version 6.5.0 should be done due to the moderate severity vulnerability alert shown via the npm audit command caused by got dependency. The adoption of the ESM-only package is quite slow.

Steps

npm i [email protected]
npm audit

npm audit report

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json

Would be nice to support git urls as well.

require("package.json")("[email protected]:sindresorhus/package-json.git", console.log);

What do you think?

I see that since the proxy request was closed ( #22) proxy support has been added to got.

I would like to be able to pass options through to got so that I can use a tunneling agent over a proxy.

Would you consider a pull request to add this in? If you are I'd be happy to have a go.

Most commands in the yarn/npm CLIs support passing version after @, would be great if package-json has this too.

I'm interested in using update-notifier for scoped packages.

However, looking into package-json and registry-url, I don't believe it's possible to use update-notifier with a package that has been installed via npm install @myco/mypackage after having set the appropriate npm scope config option npm config set @myco:registry http://reg.example.com.

It looks like registry-url will only retrieve a catch-all registry override, registry, and not scope registries.

Perhaps it's possible to either pass in the name of a scope to registry-url, or just have registry-url return all registries in the .npmrc file such that package-json can choose the appropriate one?

And add a separate packageJson.all() method for the existing behavior.

Will do it sometime in the future. Not soon.

can you update the version of 'registry-url' to 4.0.0? They solve this Issue: sindresorhus/registry-url#12
Here is the problem also discribed: https://nvd.nist.gov/vuln/detail/CVE-2018-3750

When getting the latest minor version of a package (e.g. ^4.5.0) could we add an option to ignore package versions that are marked as "deprecated" on npmjs.org?

Related: ng-packagr/ng-packagr#2434

Please update registry-auth-token to fix deep-extend vulnerability - rexxars/registry-auth-token#26

While debugging yeoman/update-notifier#100 I noticed this module does not use npm-config ssl properties:

• https://docs.npmjs.com/misc/config#key
• https://docs.npmjs.com/misc/config#cert
• https://docs.npmjs.com/misc/config#ca
• https://docs.npmjs.com/misc/config#cafile

I want to create a PR for this issue how would you proceed?

• is there a module like registry-url or registry-auth-token which returns this information
  • should I create such a module?
• should registry-auth-token return this information?
• I also found no solution adding ssl infos to got. Is it possible to switch the request lib?

My connection to the npm registry is so bad, it always timeout.
So today I install yeoman from the Taobao registry and it hangs on post-install script yo doctor after printing out npm version.
After some time debugging I find yo doctor when checking yo-version, it uses latest-version which uses package-json to fetch package.json from the network. https://github.com/yeoman/doctor/blob/master/lib/rules/yo-version.js#L17

Then I find that, in https://github.com/sindresorhus/package-json/blob/master/index.js#L71, the gotOptions contains no timeout and retry, after trying some breakpoints I find out why it gets stuck.

got defaults to no retry limit, and have a random increasing delay between retries, while feeding it no retry option, it always gets an ETIMEOUT on HTTP request and retries, retries, and retries. So my yo doctor hangs, and no further output, thus yeoman cannot be installed until I choose --ignore-scripts. I tried adding a timeout but it still always retries, so in my view a retry limit is necessary.
Though the version of package-json is 4.0.1 in dependencies of yo doctor, there's still no retry limit in the current version v6.50 I figure.
I tried adding retry: 3 and after retries, it returns an ETIMEOUT error, and package-json can catch it and rethrow, and yo doctor succeed to run the remaining code.

I suggest that package-json provide a default retry limit of 5 or 3 or what makes sense, and also provides retry and timeout as options. When a user cannot connect to the registry, it can at least provide some error messages, instead of always retrying so hanging.

If you bump the minimum supported node version to at least >=4, you can bump got to ^6.0.0, which has half the dependencies of the current version.

Based on this issue (npm/npm#9164), which was a follow up to pull request #6 , it looks like the <PACKAGE NAME>/<VERSION> API end-point is going to be deprecated in the future.

If there is a private scoped package you have access to, the registry will return the info instead of a 404.

However, it seems that if auth data is not included in the request, the registry doesn't know who you are and will always return a 404 for private packages.

As mentioned here, npm's by-field API end-point is no longer supported.

hi,

step to reproduce

React ~16 or React 17 (don't matter)
When this code is in my app all is broken (my app crashed when the first render) I test many times and that's sure this code will provoke the error .... I havn't use it but when require the package .... :

const packageJson = require('package-json');

no need more code unfortunaly : /
I had node 16.3.
I don't know why my node version is important for http request but anyway now current nodejs is v14 so ...

if don't matter it will be nice to add "no react support" or "no browser support" ? .

I haven't test yet whithout react [...]

The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket.

Affected Versions: >= 12.0.0, < 12.1.0, < 11.8.5
Patched versions: 12.1.0, 11.8.5

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-33987
• sindresorhus/got#2047
• sindresorhus/got@v12.0.3...v12.1.0
• sindresorhus/got@861ccd9
• https://github.com/sindresorhus/got/releases/tag/v11.8.5
• https://github.com/sindresorhus/got/releases/tag/v12.1.0

See: https://github.com/sindresorhus/package-json-cli/blob/3b89b7dcb4f66cf07fadb762c395fbe4a6c181de/cli.js#L26-L27

It's a major bump, so sometime in the future. Not soon.

registry-auth-token needs upgraded to clear NODE-SECURITY-813 CVE - related to js-yaml 3.10.0 (fixed in >=3.13.1)

GHSA-c2qf-rxjj-qqgw

Updating semver to the latest version should fix this issue.

I'm using the latest-version package to fetch the latest version of one of my modules that is published to an internal Docker-containerized sinopia repo. It relies on package-json to fetch the latest package from npm.

The url that gets built by this package-json for purposes of fetching the package file is incorrect in my case.

If the package-json method is called with:

name      @scope/package-name
version   latest

The value of url winds up being http://<npm server>@scope/package-name. (note the lack of a slash after the server, as well as the unencoded slash in the`scope/package-name).

Our Sinopia repo is unable to locate the package unless the url is of the format http://<npm server>/@scope%2fpackage-name. Is this a bug in this module? Or would you consider it to be a bug with out Sinopia server?

Was trying this module with an invalid version of hapi and noticed that it doesn't hit my catch() block, and returns undefined for data.

var check = require('requiresafe/lib/check');
var formatters = require('requiresafe/lib/formatters/index');
var packageJson = require('package-json');

// checkPackage('gulp-cli');
// checkPackage('hapi', 'latest');
checkPackage('hapi', '6.6.6');

function checkPackage(name, version) {
  version = version || 'latest';
  packageJson(name, version).then(function (data) {
    console.log('name: %s, version: %s', name, version);
    console.log(data);
    check({package: data}, function (err, results) {
      var output = formatters.summary(err, results);
      console.log('%s@%s', name, version);
      console.log(output);
    });
  }).catch(function (err) {
    console.log('Unexpected error:');
    console.log(err);
  });
}

Workaround:

Explicitly throw an Error from my .then() if data is falsey:

    if (!data) {
      throw new Error('Unexpected name/version. Got: ' + name + '@' + version);
    }

Asserting string error messages is bad. It would be better if an error code/name could be checked against, e.g. if (err.name === 'PackageNotFoundError').

This is so that update-notifier will correctly handle proxies

See https://www.npmjs.com/package/got#proxies for information about using proxies with got

Hi there,

Are there any plans to add possibility to work with custom NPM registry? (Sinopia)
Can create PR if needed.

I am using Verdaccio with Active Directory authentication. I wanted to use auto-dist-tag which uses package-json.

In your README, you specify that

Both public and private registries are supported, for both scoped and unscoped packages, as long as the registry uses either bearer tokens or basic authentication.

It does not seem that Verdaccio with Active Directory uses either.

Because of this, I ask that we add a parameter to use a specific registry. Other solutions are welcome.

More details of my setup in Turbo87/auto-dist-tag#8

[email protected] implements [email protected] which implements [email protected]

[email protected] contains a security vulnerability:
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-33502