fix(resolution): Normalise non-HTTPS NPM registry URLs too #6353
Commits on Sep 3, 2018
-
fix(resolution): Normalise non-HTTPS NPM registry URLs too
For some packages the NPM registry is incorrectly returning tarball URLs that are not using HTTPS. For example: `http://registry.npmjs.org/onetime/-/onetime-1.1.0.tgz` Previously the `registry.npmjs.org` -> `registry.yarnpkg.com` tarball URL normalisation was not occurring for these non-HTTPS URLs, causing unwanted `http://registry.npmjs.org` references in `yarn.lock`. Whilst the real fix needs to be made upstream: https://npm.community/t/some-packages-have-dist-tarball-as-http-and-not-https/285 ...this change prevents lockfile churn and insecure package downloads over HTTP in the meantime. The request-cache entry for `onetime` has been updated to the current NPM registry response, which contains the bogus `tarball` URLs. Fixes #6259.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.