Rescue TarInvalidError when uploading npm packages
Context
When uploading an NPM package, we fetch its tarball archive and extract the package.json file. We then perform some validations based on the info we extract from package.json file.
However, for some packages, we can end up having an error Gem::Package::TarInvalidError (tar is corrupt, name contains null byte) while trying to find the package.json file in the tarball.
It seems that some files have invalid characters in their names, and the error is raised when calling #full_name method on each entry in the tarball.
What does this MR do and why?
When Gem::Package::TarReader::Entry#full_name raises Gem::Package::TarInvalidError, we can try to get the entry's path using entry.header.name method.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
N/A
How to set up and validate locally
- Download this package to test with.
- Have a project and a PAT ready.
- Configure
$ npmto upload the tarball of the package to your local project:npm config set registry http://gdk.test:3000/api/v4/projects/<project_id>/packages/npm/ npm config set "//gdk.test:3000/api/v4/projects/<project_id>/packages/npm/:_authToken=<PAT>" - In the same directory where the downloaded tarball exits, run
npm publish node-20.14.11.tgz - In rails console, verifies that the package was uploaded successfully with
status: 'default'.Packages::Package.npm.last - Repeat the same on master, the package will be published but in erroneous status with this error message:
Unexpected error: Gem::Package::TarInvalidError - You might need to delete the
$ npmconfiguration change we did for the testing purposes:npm config delete registry
Related to #474875 (closed)