Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

download packages using https #166

Closed
beygi opened this issue Nov 20, 2014 · 6 comments
Closed

download packages using https #166

beygi opened this issue Nov 20, 2014 · 6 comments

Comments

@beygi
Copy link

beygi commented Nov 20, 2014

when we use https://registry.npmjs.org/ or any https server as our main registry , sinopia should download packages using https not http , just like npm itself . i think this is a security issue too

@tcort
Copy link
Contributor

tcort commented Nov 20, 2014

when we use https://registry.npmjs.org/ or any https server as our main registry , sinopia should download packages using https not http

From my testing, it looks like sinopia does download packages via https as long as the url for the npmjs uplink in the config.yaml is the https one:

 info  <-- 192.168.1.123 requested 'GET /wkhtmltox'
 info  --> making request: 'GET https://registry.npmjs.org/wkhtmltox'
 http  --> 200, req: 'GET https://registry.npmjs.org/wkhtmltox', bytes: 0/18739
 debug -=- updating package info
 http  <-- 200, user: undefined, req: 'GET /wkhtmltox', bytes: 0/2564

If you mean that you want sinopia to serve packages over https, then there is already an Issue #71 and Pull Request #162.

@beygi
Copy link
Author

beygi commented Nov 20, 2014

yes , but in your sample actual package file is : wkhtmltox-0.11.0.tgz
and it is downloaded using this url :
http://registry.npmjs.org/wkhtmltox/-/wkhtmltox-0.11.0.tgz
not this url :
https://registry.npmjs.org/wkhtmltox/-/wkhtmltox-0.11.0.tgz

standard npm downloads from https link and sinopia's behavior differs from standard npm .
this issue makes sinopia unusable in countries such as iran and china because this countries
filters data transfers over http (https is OK by the way) and when we are using sinopia we are unable
to install packages with dirty names like "hooker" :
https://www.npmjs.org/package/hooker
or sex ! :
https://www.npmjs.org/package/sex
for example as you can see hooker is a dependency for some major packages like "grunt ".

changing this behavior is not a wired thing because standard npm already doing that and i hope sinopia acts like standard npm .

@tcort
Copy link
Contributor

tcort commented Nov 20, 2014

Hmmm interesting, it looks like registry.npmjs.org provides JSON which points to http://

From https://registry.npmjs.org/wkhtmltox :

...
"tarball":"http://registry.npmjs.org/wkhtmltox/-/wkhtmltox-0.11.0.tgz"
...

Digging into the npm code, they fix-up the tarball URL to use the same protocol as the registry. See npm:lib/cache/add-named.js#L174.

@beygi
Copy link
Author

beygi commented Nov 20, 2014

exactly and this is what i like to see in sinopia

@Bersam
Copy link

Bersam commented Nov 23, 2014

I consider this behavior too, it would be great if sinopia use https links instead of http, like npm itself.

rlidwka added a commit that referenced this issue Dec 22, 2014
Or, in general, the same protocol as the registry;
this is what npm seem to be doing.

See issue #166 for details.
@rlidwka
Copy link
Owner

rlidwka commented Mar 30, 2015

I believe it was fixed in ed3eb37 and released in [email protected].

Thanks for reporting!

@rlidwka rlidwka closed this as completed Mar 30, 2015
rmg pushed a commit to strongloop-forks/sinopia that referenced this issue Jun 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants