-
Notifications
You must be signed in to change notification settings - Fork 653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
download packages using https #166
Comments
From my testing, it looks like sinopia does download packages via https as long as the url for the npmjs uplink in the
If you mean that you want sinopia to serve packages over https, then there is already an Issue #71 and Pull Request #162. |
yes , but in your sample actual package file is : wkhtmltox-0.11.0.tgz standard npm downloads from https link and sinopia's behavior differs from standard npm . changing this behavior is not a wired thing because standard npm already doing that and i hope sinopia acts like standard npm . |
Hmmm interesting, it looks like registry.npmjs.org provides JSON which points to http:// From https://registry.npmjs.org/wkhtmltox :
Digging into the npm code, they fix-up the tarball URL to use the same protocol as the registry. See npm:lib/cache/add-named.js#L174. |
exactly and this is what i like to see in sinopia |
I consider this behavior too, it would be great if sinopia use https links instead of http, like npm itself. |
Or, in general, the same protocol as the registry; this is what npm seem to be doing. See issue #166 for details.
I believe it was fixed in ed3eb37 and released in [email protected]. Thanks for reporting! |
fix upstream search
when we use https://registry.npmjs.org/ or any https server as our main registry , sinopia should download packages using https not http , just like npm itself . i think this is a security issue too
The text was updated successfully, but these errors were encountered: