Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

http repository dependency in package-lock.json

I noticed that when installing packages in ubuntu the package-lock.json generated contains a minority of dependency packages pointing to http://registry.npmjs.org rather than to https://registry.npmjs.org, while majority of them point towards https://registry.npmjs.org.

Should I be concerned over those pointing to http rather than https? should I manually change them to https?

like image 752
Stanley Avatar asked Sep 01 '18 04:09

Stanley


1 Answers

For a while the NPM registry itself had a bug where the tarball reference for various packages included http references rather than https. Once in your cache these versions will continue to be listed with http sources.

Within a given project / repository running the following resolved the issue for me:

 npm cache clean --force
 rm -rf node_modules/
 git checkout package-lock.json // To undo any https -> http lines if required
 npm install
like image 77
odlp Avatar answered Oct 11 '22 02:10

odlp