Does Artifactory Support ShrinkwrapNPM dependency urls?

Subject 

Artifactory does not support shrinkwrap URLs for NPM dependencies

Description

Artifactory does not support shrinkwrap URLs for NPM dependencies.  The npm client uses checksums in order to verify a package, and using shrinkwrap forces changing the checksum on-the-fly. This is time consuming and will result in a time out.

Additionally hard coding NPM dependency URLs is not best practice and shrinkwrap URLs are known to have issues when interacting with proxies

  • Npm install -ddd will show resolution ignoring .npmrc configurations
    • Usually going to registry.npmjs.org
  • Resolution results in a 400 error
    • One possible error is "418 I'm a teapot"
  • If registry.npmjs.org is unavailable the resolution can time out

Resolution

Hard-coded URLs are outside of Artifactory control.  There are several ways to address this issue:

  1. Ignore shrinkwrap, using:
    1. npm install <package-name> –no-shrinkwrap
    2. This introduces a risk that a version of a dependency install will be a different version than the one defined in shrinkwrap
  2. Change dependencies
    1. Change registry.npmjs.org to <artifactory:port>/artifactory/api/npm/npmjs in package.json
    2. This can be tedious process especially with large number of dependencies.
  3. Side load the artifact
    1. Users resolve to a virtual Repository
    2. Virtual repository contains remote repository and a local repository (to host cache)
    3. periodically copy the contents of the remote cache to the local repository
    4. Note that this approach may have delay the latest getting the latest artifacts.

for more information see https://blog.npmjs.org/post/145724408060/dealing-with-problematic-dependencies-in-a