Skip to content

Custom registry with path component causes path duplication in attestation URL #450

@ajayk

Description

@ajayk

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When using a custom npm registry that includes a path component (e.g. https://example.com/javascript), the attestation verification URL incorrectly duplicates the path.

For example, with registry https://example.com/javascript, the constructed attestation URL becomes:

https://example.com/javascript/javascript/-/npm/v1/attestations/pkg@1.0.0

Expected Behavior

the attestation url should be

https://example.com/javascript/-/npm/v1/attestations/pkg@1.0.0

Steps To Reproduce

  1. Configure npm to use a custom registry with a path component:
    npm config set registry https://example.com/javascript
  2. Install a package that has attestations (e.g. a package published to the custom registry with sigstore attestations)
  3. Run:
    npm audit signatures
  4. Observe that the attestation fetch fails because the request URL has the path duplicated:
    Expected: https://example.com/javascript/-/npm/v1/attestations/pkg@1.0.0
    Actual: https://example.com/javascript/javascript/-/npm/v1/attestations/pkg@1.0.0

Note: This only affects registries with a path component in the URL. The default registry (https://registry.npmjs.org) is not affected since it has no path beyond /.

Environment

  • npm:
  • Node:
  • OS:
  • platform:

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds an initial review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions