Rescue TarInvalidError when uploading npm packages
Context
When uploading an NPM package, we fetch its tarball archive and extract the package.json
file. We then perform some validations based on the info we extract from package.json
file.
However, for some packages, we can end up having an error Gem::Package::TarInvalidError (tar is corrupt, name contains null byte)
while trying to find the package.json
file in the tarball.
It seems that some files have invalid characters in their names, and the error is raised when calling #full_name
method on each entry in the tarball.
What does this MR do and why?
When Gem::Package::TarReader::Entry#full_name
raises Gem::Package::TarInvalidError
, we can try to get the entry's path using entry.header.name
method.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
N/A
How to set up and validate locally
- Download this package to test with.
- Have a project and a PAT ready.
- Configure
$ npm
to upload the tarball of the package to your local project:npm config set registry http://gdk.test:3000/api/v4/projects/<project_id>/packages/npm/ npm config set "//gdk.test:3000/api/v4/projects/<project_id>/packages/npm/:_authToken=<PAT>"
- In the same directory where the downloaded tarball exits, run
npm publish node-20.14.11.tgz
- In rails console, verifies that the package was uploaded successfully with
status: 'default'
.Packages::Package.npm.last
- Repeat the same on master, the package will be published but in erroneous status with this error message:
Unexpected error: Gem::Package::TarInvalidError
- You might need to delete the
$ npm
configuration change we did for the testing purposes:npm config delete registry
Related to #474875 (closed)