Set lowercase headers for NPM audit requests #62
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR fixing https://npm.community/t/npm-audit-making-non-rfc-compliant-requests-to-server-resulting-in-400-bad-request-pr-with-fix/1742
NPM audit making non-RFC-compliant requests to server resulting in 400 Bad Request (+ PR with fix)
What I Wanted to Do
Run the
npm audit
command against a custom registry, and get back the expected result from this command.What Happened Instead
The server returned a
400 bad Request
status code.So instead of blaming NPM, I dove into the server code, and after a long search found out that NPM's audit command sends the
content-type
HTTP header twice.Reproduction Steps
Not applicable as they are very specific. But do read on, please.
Details
Here's the verbose log from running
npm audit
against my repo:Having some HTTP inspector in between, this is the request that was made:
The issue in this request is that any webserver that does request filtering will throw a
400 Bad request
as a response. Why? The issue is in having thecontent-type
header sent twice:Having looked in the NPM source code, the
npm audit
command sets its header here:https://github.com/npm/cli/blob/latest/lib/install/audit.js#L90
Have a good look, as there is nothing wrong here. Except, take note that the header is CamelCase
Content-Type
.Diving into making the request, we can see this block:
https://github.com/npm/npm-registry-fetch/blob/latest/index.js#L39
The check that happens there checks lowercase
content-type
, and when that does not exist, addscontent-type: application/octet-stream
.After some debugging, I found this to be the issue of seeing duplicate headers.
How to fix? There are two potential fixes, and I created a PR for one.
Platform Info