2

When I install the npm package jsonlines, it gets resolved to a mirrored registry registry.npm.taobao.org rather than registry.npmjs.org. It only does this for jsonlines. What causes this?

Here's the diff on my package-lock.json. The original "resolved" value was created when another developer installed the package:

     "jsonlines": {
       "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/jsonlines/-/jsonlines-0.1.1.tgz",
+      "resolved": "https://registry.npm.taobao.org/jsonlines/download/jsonlines-0.1.1.tgz",
       "integrity": "sha1-T80kbcXQ44aRkHxEqwAveC0dlMw="
     },

I confirmed my configured registry is npmjs.org:

$ npm config get registry
https://registry.npmjs.org/
Raine Revere
  • 30,985
  • 5
  • 40
  • 52

1 Answers1

4

The developer's npm registry was likely set to registry.npm.taobao.org when they ran npm install jsonlines. Some users have npm configured to use the taobao registry for geographic proximity.

Deleting node_modules and package-lock.json and re-running npm install fixes it.

Tip: Use lockfile-lint to prevent it from happening again.

  1. npm install --save-dev lockfile-lint
  2. Run lockfile-lint to your lint script, ideally in a pre-push git hook.
  3. Add this config to your package.json:
  "lockfile-lint": {
    "allowed-schemes": [
      "https:"
    ],
    "allowed-hosts": [
      "npm"
    ],
    "empty-hostname": false,
    "type": "npm ",
    "path": "package-lock.json"
  },
Raine Revere
  • 30,985
  • 5
  • 40
  • 52
  • Thanks for the solution! Found your comment in this [github issue](https://github.com/npm/cli/issues/1431#issuecomment-725583783) as well ^_^ Deleting `node_modules` and `package-lock.json` and re-running `npm install` does fix it for me! – Bruce Sun Nov 25 '21 at 01:26