A deployment error ‘Peacenotwar @^9.1.6’ is not in the NPM registry

Hello everyone, I am front-end Xiao He, hope to help you through their own learning output.

background

I made an error today when downloading dependency packages during Jenkins’ release into production.

+ npm install npm ERR! code E404 npm ERR! 404 Not Found - GET http://verdaccio:4873/peacenotwar - no such package available npm ERR! 404 npm ERR! 404 'Peacenotwar @^9.1.6' is not in the NPM Registry. NPM ERR! 404 You should bug the author to publish it (or use the name yourself!) npm ERR! 404 It was specified as a dependency of 'node-ipc' script returned exit code 1Copy the code

The project architecture

This project is built based on Vue CLI.

The package.json file is as follows:

{
  "scripts": {
    "serve": "vue-cli-service serve"."build": "vue-cli-service build",},"dependencies": {
    "axios": "^ 0.18.0." "."cube-ui": "~ 1.12.15"."js-md5": "^ 0.7.3"."moment": "^ 2.24.0"."pdfjs": "^ 2.3.0." "."postcss": "^ 7.0.14"."vue": "^ 2.6.6"."vue-amap": "^ 0.5.10"."vue-navigation": "^ 1.1.4." "."vue-router": "^ 3.0.2." "."vuex": "^ 3.1.0"
  },
  "devDependencies": {
    "@vue/cli-plugin-babel": "^ 3.5.0." "."@vue/cli-plugin-eslint": "^ 3.5.0." "."@vue/cli-service": "^ 3.5.0." "."@vue/eslint-config-prettier": "^ 6.0.0"."babel-eslint": "^ 10.0.1." "."commitizen": "^ 4.0.3"."cz-conventional-changelog": "^ 3.0.2." "."eslint": "^ 5.8.0"."eslint-plugin-prettier": "^ 3.1.2." "."eslint-plugin-vue": "^ 5.0.0"."node-sass": "^ 4.11.0"."pdfjs-dist": "2.1.266"."postcss-px2rem": "^ 0.3.0"."postcss-px2rem-exclude": "^ 0.0.6"."sass-loader": "^ 7.1.0",}}Copy the code

To find the answer

I decided to look at this is not dependent package did not find it, so to the node-IPC issues to find the answer, after several times to find the final clear!

The answer

Js scaffolding tool Vue CLI relies on the Node-IPC package, and one of the node-IPC package maintainers introduced a dependency called Peacenotwar into the package as a protest (see below). This package will write the with-love-from-America.txt file to the user’s desktop directory. Versions 9.2.2, 10.1.1, and 10.1.2 of the corrupted Node-IPC package no longer exist in the NPMJS registry and have been marked deprecated by the maintainer or the NPMJS team. The new node-pic package has fixed this problem.

Since our project uses Verdaccio to cache downloaded dependencies and the cached Node-IPC package version happens to be 9.2.2, This version was injected into the Peacenotwar dependency package by a maintenance person named *RIAEvangelist (Brandon Nozaki Miller)*. The package was not cached by Verdaccio, so it was 404 when the project was first released.

For details about the node-IPC package damage, see the description below.

Story:

On March 8, 2022, NPM keeper RIAEvangelist (Brandon Nozaki Miller) wrote the source code and released an NPM package called Peacenotwar. According to their description of the module, the original text reads as follows:

This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia’s aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.

This code is a non-destructive example of why control node modules are important. It is also a non-violent protest against Russian aggression that currently threatens the world. This module will add a peace message to the user’s desktop, and will do so only if it doesn’t already exist.

---

Until March 15, the module had hardly been downloaded. However, when its NPM maintainer adds this module to version 9.2.2 of Node-IPC as a dependency and runs it when the Node-IPC package is invoked. The peacenotwar package writes the with-love-from-America.txt file to the user’s desktop directory.

The picture below is peacenotwar download numbers. You can see it was 40,000 downloads at the end, it was a lot.

The following isVue CLIrightnode-ipcPackage dependency

- the @ vue/cli | - @ vue/cli - UI | - node - ipc @ ^ 9.2.1 - @ vue/cli - Shared - utils | - node - ipc @ ^ 9.1.1Copy the code

The solution

Method 1: If you use NPM as the package manager, you can add the following to your package.json file to explicitly allow the benign version of Node-IPC only:

"Overrides" : {" node - ipc @ > 9.2.1 < 10 9.2.1 ":" ", "node - ipc @ > 10.1.0" : "10.1.0}"Copy the code

Method 2: Upgrade your @vue.cli version to 4.5.16+ or 5.0.3+

1. Upgrade your global @vue.cli version

   npm i -g @vue/cli

2. Locate your project root directory and execute ‘vue upgrade’

Json file. If your node-IPC version is not 9.2.2, you can use this download dependency package. My file is as follows:

"node-ipc": {
  "version": "9.2.1"."resolved": "https://registry.npmmirror.com/node-ipc/-/node-ipc-9.2.1.tgz"."integrity": "sha512-mJzaM6O3xHf9VT8BULvJSbdVbmHUKRNOH7zDDkCrA1/T+CVjq2WVIDfLt0azZRXpgArJtl3rtmEozrbXPZ9GaQ=="."dev": true."requires": {
    "event-pubsub": "4.3.0"."js-message": "1.0.7"."js-queue": "2.0.2"}}Copy the code

Worried about NPM vulnerabilities? Here are some recommended best practices

• Avoid publishing secrets (API keys, passwords, or other secrets) to the NPM registry

• Forcibly lock files using package-lock.json or yarn.lock

• Delay blindly upgrading to a new version Give new package versions time to circulate before trying them out.

• Call NPM Doctor to diagnose your environment (the different versions of Node.js you may have installed in your path) to ensure that the NPM interaction is working well. It does a few things for you

  • Check whether the official NPM Regisry is reachable and display the currently configured registry.

  • Check that Git is available.

  • View the installed NPM and Node.js versions.

  • Run permission checks on various folders (such as local and global node_modules) and on folders used for package caching.

  • Check the checksum of the local NPM module cache.

    Here are the results of my run:

  + npm doctor npm notice PING https://registry.npm.taobao.org/ npm WARN verifyCachedFiles Content garbage-collected: 3343 (415775333 bytes) npm WARN verifyCachedFiles Missing content: 1926 NPM WARN verifyCachedFiles Cache issues have been fixed Check Value Recommendation NPM ping OK NPM -v v6.14.15 Use NPM v8.5.5 node - v v12.22.7 Use node v16.14.2 NPM config get registry https://registry.npm.taobao.org/ Try ` NPM config set registry https://registry.npmjs.org/` which git /usr/local/bin/git Perms check on cached files ok Perms check on global node_modules ok Perms check on local node_modules ok Verify cache contents verified 12871 tarballsCopy the code

feeling

I also hope there is no war, I also love peace, but it should be expressed in the right way. Please don’t bring war issues to the open source world!!

The last

Each of your thumbs up and comments is the biggest support for me to keep writing!

In addition, I hope that friends and I exchange discussion, if there is wrong place, more hope to criticize and correct!

reference

Snyk. IO/blog/peacen… Github.com/RIAEvangeli… Github.com/RIAEvangeli… Snyk. IO/blog/ten – np…