fix: fall back to package-root metadata when dist.signatures is missing on the version endpoint#870
Open
DanielC000 wants to merge 1 commit into
Open
Conversation
…ng on the version endpoint
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #808.
Some registry proxies (e.g. JFrog Artifactory) keep
dist.signatureson the package-root endpoint but strip it from the per-version one.verifySignature()only checks the per-version response, so Corepack throwsNo compatible signature found in package metadataand installs fail through those proxies — this is currently breaking Dependabot when it runs through Artifactory.This makes
verifySignature()fall back to the package-root metadata (versions[version].dist.signatures) before giving up. If the signature really is missing from both endpoints, it still fails exactly as before — so verification isn't weakened, Corepack just looks in one more place for a signature that does exist upstream.The issue also floated degrading a missing signature to a warning (like
npm audit signatures). I skipped that on purpose — it would loosen verification for every registry, not just the proxy case here.Testing: added 3 tests (normal path unchanged, fallback fires, both-missing still throws);
typecheck,lint,build, and the test suite all pass. (A couple of unrelated Windows-only test failures are pre-existing — they reproduce onmainwithout this change.)