NPM / Yarn support moves public packages to private registry

[gustavkj]

In our project we have an .npmrc file that looks like this:

registry = https://registry.npmjs.org/

# Private scopes
@scope1:registry = https://artifacts.companyname.com/artifactory/api/npm/npm-virtual/
@scope2:registry = https://artifacts.companyname.com/artifactory/api/npm/npm-virtual/
@scope3:registry = https://artifacts.companyname.com/artifactory/api/npm/npm-virtual/

//artifacts.companyname.com/artifactory/api/npm/npm-virtual/:email=${ARTIFACTORY_EMAIL}
//artifacts.companyname.com/artifactory/api/npm/npm-virtual/:always-auth=true
//artifacts.companyname.com/artifactory/api/npm/npm-virtual/:_auth=${ARTIFACTORY_AUTH}

Before we've fetched all packages through Artifactory as a proxy, but in order to get the most out of Dependabot we moved to this setup. Since this way all public packages are listed as public and will therefore get rich info PRs with changelogs etc, unlike those that update private packages.

The PRs we get now looks good, but they move our packages from registry.npmjs.org to artifacts.companyname.com. My guess is that the problem stems from first_registry_with_dependency_details which will start by looking at the private registry and since my company has a proxy setup it will always get a hit from there.

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb

Lines 42 to 60 in 11c25c7

	def first_registry_with_dependency_details
	@first_registry_with_dependency_details ||=
	known_registries.find do |details|
	response = Excon.get(
	"https://#{details['registry'].gsub(%r{/+$}, '')}/"\
	"#{escaped_dependency_name}",
	headers: auth_header_for(details["token"]),
	idempotent: true,
	**SharedHelpers.excon_defaults
	)
	response.status < 400 && JSON.parse(response.body)
	rescue Excon::Error::Timeout,
	Excon::Error::Socket,
	JSON::ParserError
	nil
	end&.fetch("registry")
	@first_registry_with_dependency_details ||= global_registry
	end

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb

Lines 108 to 120 in 11c25c7

	def known_registries
	@known_registries ||=
	begin
	registries = []
	registries += credentials.
	select { |cred| cred["type"] == "npm_registry" }.
	tap { |arr| arr.each { |c| c["token"] ||= nil } }
	registries += npmrc_registries
	registries += yarnrc_registries
	unique_registries(registries)
	end
	end

I would prefer that either:

1. it looks at the scopes specified in the .npmrc file and goes by that, or
2. tries to update from the current registry for the particular package.

Any thoughts?

Side note: Our setup is based on the dependabot-script generic-update-script.

Also, I feel this is semi-related to: #1396

[rebelagentm]

@feelepxyz I'll let you comment here, as you're more familiar with the NPM/Yarn support.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

[infin8x]

Closing this due to age and low demand. If this scenario is critical to your workflow please feel free to comment.