verdaccio: "publish --force" and "unpublish VERSION" seem to be broken
Describe the bug
I tried to look at #1359 and #1405 but couldn’t find a solution.
I’m using ~~https://github.com/Remitly/verdaccio-s3-storage~~ https://registry.verdaccio.org/-/web/detail/verdaccio-aws-s3-storage as a storage plugin, but you can comment the whole storage key in configuration and it will be the same (except for one thing that is pointed out below).
npm publish --force
If I try to overwrite an existing package version with a new one:
npm publish --force --registry MY_REPO
The result is:
- old package is removed from the remote storage and the web UI doesn’t show it
- the
npmcommand fails with:
npm ERR! code EPUBLISHCONFLICT
npm ERR! publish fail Cannot publish over existing version.
npm ERR! publish fail Update the 'version' field in package.json and try again.
npm ERR! publish fail
npm ERR! publish fail To automatically increment version numbers, see:
npm ERR! publish fail npm help version
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/marco/.npm/_logs/2019-08-10T13_46_04_312Z-debug.log
- running the same exact command again publishes successfully
npm unpublish --force SPECIFIC_VERSION
If I try to unpublish the package first to avoid errors:
npm unpublish "@test/my-pack@1.0.0-beta" --force --registry MY_REPO
The result is:
npmexits with no errors and says that the package has been removed- the package still shows up on the AWS S3 storage and on the web UI
- trying to publish the same package from now on will result in failures (this doesn’t happen when using local storage: publishing again works as with the command above)
The only way I found to recover from this situation was:
- removing the
.tgzarchive manually from the storage - restart the verdaccio server
These commands don’t work as expected.
To Reproduce
I’m using the following Dockerfile to speed up testing:
FROM verdaccio/verdaccio:latest
USER root
ENV NODE_ENV=production
# Install "envsubst" to replace ENV_VARS in config
RUN apk add gettext libintl
# Install AWS S3 Plugin
RUN yarn add verdaccio-aws-s3-storage --production=true --no-lockfile --registry https://registry.verdaccio.org
# Copy configuration and .htpasswd
COPY ./config.yml $VERDACCIO_APPDIR/conf/config.yaml
# Fix permissions
RUN chown -R $VERDACCIO_USER_UID:root $VERDACCIO_APPDIR/conf/config.yaml \
&& chmod -R g=u $VERDACCIO_APPDIR/conf/config.yaml
USER $VERDACCIO_USER_UID
# Set user credentials, replace ENV_VARS in config and finally run Verdaccio
CMD echo "$HTPASSWD" > /verdaccio/storage/htpasswd \
&& envsubst \$AWS_S3_BUCKET,\$AWS_S3_PATH_PREFIX,\$AWS_DEFAULT_REGION,\$AWS_S3_ENDPOINT,\$AWS_S3_PATH_STYLE,\$AWS_ACCESS_KEY_ID,\$AWS_SECRET_ACCESS_KEY < $VERDACCIO_APPDIR/conf/config.yaml > $VERDACCIO_APPDIR/conf/config.yaml \
&& $VERDACCIO_APPDIR/bin/verdaccio --config $VERDACCIO_APPDIR/conf/config.yaml --listen $VERDACCIO_PROTOCOL://0.0.0.0:$VERDACCIO_PORT
This docker-compose.yml should run your registry:
version: '2.1'
services:
verdaccio:
image: testing/private-verdaccio-s3:latest
environment:
AWS_S3_BUCKET:
AWS_S3_PATH_PREFIX:
AWS_ACCESS_KEY_ID:
AWS_SECRET_ACCESS_KEY:
AWS_DEFAULT_REGION:
AWS_S3_ENDPOINT:
AWS_S3_PATH_STYLE: "true"
# User is demo:demo
HTPASSWD: |
demo:$apr1$uq2Uw53i$dS7GoGvNuupumWvXjOJ.R1
ports:
- "4874:4873"
Configuration file config.yml:
#
# This is the config file used for the docker images.
# It allows all users to do anything, so don't use it on production systems.
#
# Do not configure host and port under `listen` in this file
# as it will be ignored when using docker.
# see https://verdaccio.org/docs/en/docker#docker-and-custom-port-configuration
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/master/conf
#
# path to a directory with all packages
storage: /verdaccio/storage/data
# comment this section entirely to disable AWS S3
store:
aws-s3-storage:
bucket: $AWS_S3_BUCKET
keyPrefix: $AWS_S3_PATH_PREFIX
region: $AWS_DEFAULT_REGION
endpoint: $AWS_S3_ENDPOINT
s3ForcePathStyle: $AWS_S3_PATH_STYLE
accessKeyId: $AWS_ACCESS_KEY_ID
secretAccessKey: $AWS_SECRET_ACCESS_KEY
web:
title: Verdaccio
auth:
htpasswd:
file: /verdaccio/storage/htpasswd
max_users: -1
security:
api:
jwt:
sign:
expiresIn: 60d
notBefore: 1
web:
sign:
expiresIn: 7d
notBefore: 1
# a list of other known repositories we can talk to
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'**':
access: $all
publish: $all
unpublish: $all
# if package is not available locally, proxy requests to 'npmjs' registry
proxy: npmjs
middlewares:
audit:
enabled: true
# log settings
logs:
- { type: stdout, format: pretty, level: http }
listen:
- 0.0.0.0:4873
Put these 3 files in a folder called verdaccio-test, then build and run everything:
cd /path/to/verdaccio-test
docker build -t testing/private-verdaccio-s3:latest .
docker-compose up -d
# Attach to logs
docker logs -f verdaccio-test_verdaccio_1
# use http://127.0.0.1:4874
Expected behavior
Packages should be deleted correctly.
Conclusion
I hope that everything is clear enough, please feel free to ask for further information.
Thank you for your time.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 1
- Comments: 31 (15 by maintainers)
Commits related to this issue
- fix: verdaccio/verdaccio/issues/1435 — committed to favoyang/monorepo by favoyang 5 years ago
- fix: verdaccio/verdaccio/issues/1435 (#289) more details here https://github.com/verdaccio/verdaccio/issues/1435#issuecomment-559977118 — committed to verdaccio/monorepo by favoyang 5 years ago
- fix: require package existence on registry for unpublishing Attempting to unpublish a package that doesn't exist on the Verdaccio registry leads to errors. See https://github.com/verdaccio/verdaccio/... — committed to nom-app/create-nom-app by MaximDevoir 4 years ago
Here’s the breakdown for all bugs mentioned in the issue.
TLDR: jump to the last paragraph.
Bug 1 -
npm unpublish -ffailed with error, but package is actually removed by verdaccio.Fact 2 -
npm unpublish [-f] pkg@versionwork as expect after patching PR https://github.com/verdaccio/monorepo/pull/289Bug 3 -
npm publish -f(republish) failed with error, but the package@version file is removed by verdaccio (npm publish -f==npm unpublish -f). Thus run the publish command again will succeed, because verdaccio thinks you’re publishing a new version.publish -f, the server returns a 403 (permission error)publish -f, the server returns 409 (conflict error)-f, fetches package info, the server returns 200-f.publish -f pkg@version==unpubish pkg@version)Based on the analysis
npm unpublish -fbug for s3 storage.publish -fbug is not fixable by verdaccio. I suggest you runnpm unpublish pkg@version, thennpm publishto simulate thenpm publish -f.@liarco I have verified the issue only appears in S3, and fixed in https://github.com/verdaccio/monorepo/pull/289, see the PR description for details.
@flyfishMT
The metadata is just a JSON file, quite simple to read, if you want to get rid of one specific version, you need to remove it from different sections.
This is something that handles the client, the fields added by verdaccio are prefixed with underscore eg:
_distfiles.If you don’t have published packages in the X package, then just do as @liarco suggested, remove the package.json file or the whole folder.
Hi @juanpicado, I left a feedback yesterday about this: https://github.com/verdaccio/monorepo/pull/289#issuecomment-569282128
There’s still the problem with
publish -fbut it cannot be fixed (as @favoyang explained), by the way the 404 error on unpublish si gone!Thank you! 😊
We will check next week, sorry guys I am super busy these days.
@liarco looks the same.
First of all, thank you very much for your time. I really appreciate your help with this issue.
Later today I’m gonna send you feedback about what you asked plus some updates that I got after further testing.
Absolutely! The files are exactly the ones that I shared above, but I’m gonna create a demo repo in a matter of minutes. Thank you.
In the mean while I tested one more time to be sure and it’s still the same:
My console:
Container logs: