I noticed that when installing packages in ubuntu the package-lock.json generated contains a minority of dependency packages pointing to http://registry.npmjs.org rather than to https://registry.npmjs.org, while majority of them point towards https://registry.npmjs.org.
Should I be concerned over those pointing to http rather than https? should I manually change them to https?
For a while the NPM registry itself had a bug where the tarball reference for various packages included http
references rather than https
. Once in your cache these versions will continue to be listed with http
sources.
Within a given project / repository running the following resolved the issue for me:
npm cache clean --force
rm -rf node_modules/
git checkout package-lock.json // To undo any https -> http lines if required
npm install
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With