This repository has been archived by the owner on Jul 3, 2019. It is now read-only.
performance instrumentation #40
Labels
Comments
strugee
pushed a commit
to strugee/pacote
that referenced
this issue
Mar 9, 2021
There are a few places in npm where we treat the default registry url https://registry.npmjs.org as a "Magic String", which always indicates that the configured registry should be used. This is important, because it means that lockfiles which are generated while talking to one registry do not result in fetching from a different registry to install their packages. It also means that proxies which do not rewrite the dist.tarball URLs will still effectively proxy, which is often required in bastion-type networking setups. NB: the *inverse* (ie, saving requests to alternative registries in lockfiles and package.json files as https://registry.npmjs.org URLs) is *not* done, as it could result in leaking the package names of private code via requests to the main registry. The missing piece in pacote was that it was not rewriting these urls in the Remote fetcher, resulting in downloading packages from the public registry even when a different registry is in use. In hindsight, it of course would have been better to use a string like `${REGISTRY}` in package-lock.json files and elsewhere. But that isn't what happened, and moving to that will require that we still continue to support the existing status quo for quite some time. PR-URL: npm/pacote#40 Credit: @isaacs Close: zkat#40 Reviewed-by: @ruyadorno
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add various bits of noteworthy performance analytics to be collected on the fly, and log them out as things complete.
Some ideas:
finalize-manifesttarball extractionshttp://npm.im/request-capture-har might be of use for the network part of this
The text was updated successfully, but these errors were encountered: