Update the NPM instance endpoint to find the correct package
What does this MR do and why?
This MR fixes the bug reported in #273427.
Overview of the Problem
When installing an NPM package using the instance endpoint, if the package exists in multiple projects, the metadata endpoint returns the packages from only one project. If the version passed to npm CLI is not in the returned versions, then the npm CLI returns "No matching version found".
Overview of the Solution
The MR changes how we're finding the list of packages
- this was lifted from !108899 (closed), with some corrections and additional spec coverage
- in the current code, the result is always scoped to a single project, even if the request was at the instance scope
- in this MR we call
PackageFinder
with the namespace, if the endpoint was called with a namespace
The changes are hidden behind a feature flag because NPM is the most widely used package format for the Package Registry. This way, if we encounter issues in production, we can easily revert by turning off the feature flag.
- Adds a spec context that sets up the conditions reported in the issue:
- there exists another project that hosts another package with the same name, but a different version
Screenshots or screen recordings
Error response when installing @mygroup/foo@1.0.0
with the feature flag disabled:
rad@mjolnirv3 ~/p/t/foo [1]> npm i @mygroup/foo@1.0.0
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @mygroup/foo@1.0.0.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/rad/.npm/_logs/2023-02-16T08_58_55_863Z-debug-0.log
How to set up and validate locally
- Setup
- create a group named
mygroup
- create a project named
project1
undermygroup
with public visibility - create a project named
project2
undermygroup
with public visibility - publish an npm package named
@mygroup/foo
version 1.0.0 underproject1
- publish an npm package named
@mygroup/foo
version 2.0.0 underproject2
- create a personal access token
- add the instance endpoint with the personal access token to
.npmrc
- With the
:npm_allow_packages_in_multiple_projects
feature flag disabled:
npm i @mygroup/foo@2.0.0
installs successfully
npm i @mygroup/foo@1.0.0
fails with a "No matching version found" response
- With the
:npm_allow_packages_in_multiple_projects
feature flag enabled:
npm i @mygroup/foo@2.0.0
installs successfully
npm i @mygroup/foo@1.0.0
installs successfully
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #273427