Skip to content

fix: fall back to package-root metadata when dist.signatures is missing on the version endpoint#870

Open
DanielC000 wants to merge 1 commit into
nodejs:mainfrom
DanielC000:fix/signature-fallback-808
Open

fix: fall back to package-root metadata when dist.signatures is missing on the version endpoint#870
DanielC000 wants to merge 1 commit into
nodejs:mainfrom
DanielC000:fix/signature-fallback-808

Conversation

@DanielC000

Copy link
Copy Markdown

Closes #808.

Some registry proxies (e.g. JFrog Artifactory) keep dist.signatures on the package-root endpoint but strip it from the per-version one. verifySignature() only checks the per-version response, so Corepack throws No compatible signature found in package metadata and installs fail through those proxies — this is currently breaking Dependabot when it runs through Artifactory.

This makes verifySignature() fall back to the package-root metadata (versions[version].dist.signatures) before giving up. If the signature really is missing from both endpoints, it still fails exactly as before — so verification isn't weakened, Corepack just looks in one more place for a signature that does exist upstream.

The issue also floated degrading a missing signature to a warning (like npm audit signatures). I skipped that on purpose — it would loosen verification for every registry, not just the proxy case here.

Testing: added 3 tests (normal path unchanged, fallback fires, both-missing still throws); typecheck, lint, build, and the test suite all pass. (A couple of unrelated Windows-only test failures are pre-existing — they reproduce on main without this change.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

verifySignature fails when registry returns dist.signatures on package root but not on version endpoint

1 participant