Skip to content

Corepack does not work with COREPACK_NPM_REGISTRY that does not return signatures (Artifactory) #725

New issue
New issue
Open
Open
Corepack does not work with COREPACK_NPM_REGISTRY that does not return signatures (Artifactory)#725
@dhardtke

Description

@dhardtke
dhardtke
opened on Jun 28, 2025

Related to #537 and #570

Corepack does not work with our registry as it does not return the field dist.signatures.
Here's a comparison of https://registry.npmjs.org/pnpm/10.12.4 and <our-artifactory-host>/artifactory/api/npm/default-npm-3rdparty/pnpm/10.12.4

npmjs:

"dist": {
    "shasum": "88a0ccfe72d6345dede50dc9d6158400be2420eb",
    "tarball": "https://registry.npmjs.org/pnpm/-/pnpm-10.12.4.tgz",
    "fileCount": 1111,
    "integrity": "sha512-Xqiw3u2U7WhpHJutTJVUknBcXuuKh++GvGLHSiawN7CP+VcPEIsuTb0d0akYb+qSXlJ/FBxkjoWvRWMQdGgBhA==",
    "signatures": [
      {
        "sig": "MEUCIHgFNYCynawsQj2TFih8MSo5NU8irHoWSjYIWoFdjXsUAiEArLjxP+kP0pDgYCk1HfGfrLjxph157UO/0WcQTCDmxTM=",
        "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"
      }
    ],
    "unpackedSize": 17665923
  },

artifactory:

"dist" : {
    "tarball" : "<our-artifactory-host>/artifactory/api/npm/default-npm-3rdparty/pnpm/-/pnpm-10.12.4.tgz",
    "shasum" : "88a0ccfe72d6345dede50dc9d6158400be2420eb",
    "integrity" : "sha512-Xqiw3u2U7WhpHJutTJVUknBcXuuKh++GvGLHSiawN7CP+VcPEIsuTb0d0akYb+qSXlJ/FBxkjoWvRWMQdGgBhA=="
  },

Interestingly, <our-artifactory-host>/artifactory/api/npm/default-npm-3rdparty/pnpm/ returns the dist field just like npmjs, including signatures.

So maybe it is feasible to fetch the whole JSON for all versions as a fallback?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions