Describe the bug
Setup / Environment (for quick triage)
| Item |
Value |
| JFrog CLI |
2.111.0 (also reproduced on 2.109.0) |
| Command |
jf ca --working-dirs=<abs-path> --run-native |
| OS |
Ubuntu 24.04.4 LTS (Linux 6.17.0-22-generic) |
| Node |
22.14.0 |
| npm |
10.9.2 |
| Project type |
npm monorepo with root workspaces |
| Registry |
JFrog Artifactory npm virtual repo with Curation enabled |
| Issue observed in curated package |
Strapi CMS |
| Strapi package version |
5.48.1 (any v5 version) |
Monorepo workspaces:
"workspaces": [
"containers/frontend",
"containers/backend",
"containers/cms",
"containers/jobs"
]
Error (reproduced)
[🚨Error] failed sending HEAD request to
https:///artifactory/api/npm//codemirror5/-/codemirror5-5.65.21.tgz
for package 'codemirror5:5.65.21'. Status-code: 404
Current behavior
Root cause (from JFrog CLI / build-info-go source)
Phase 1 — Dependency tree (build-info-go)
jf ca runs npm ls --json --all --long --package-lock-only and parses the tree in parseDependencies:
// build-info-go/build/utils/npm.go
npmLsDependency.Name = string(key) // alias KEY, not inner "name"
// → dependency.Id = "codemirror5:5.65.21"
For npm aliases, npm ls returns:
"codemirror5": {
"name": "codemirror",
"version": "5.65.21",
"resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.65.21.tgz"
}
build-info-go uses the object key (codemirror5), not the inner name (codemirror).
Graph node id becomes: npm://codemirror5:5.65.21
DownloadUrls (lockfile resolved → URL map) is populated for Python only, not npm (buildinfobom.go).
Phase 2 — URL construction (jfrog-cli-security)
For each node, npm uses node.Id only:
getNpmNameScopeAndVersion(node.Id, artiUrl, repo, ...)
→ {ARTIFACTORY}/api/npm/{repo}/{name}/-/{name}-{version}.tgz
For npm://codemirror5:5.65.21 → .../codemirror5/-/codemirror5-5.65.21.tgz → 404
This generated URL triggers:
[🚨Error] failed sending HEAD request to
https:///artifactory/api/npm//codemirror5/-/codemirror5-5.65.21.tgz
for package 'codemirror5:5.65.21'. Status-code: 404
Upstream trigger: Strapi v5 @strapi/admin / @strapi/content-manager
Strapi intentionally uses an npm alias so CodeMirror 5 and 6 can coexist:
"codemirror5": "npm:codemirror@^5.65.11"
CodeMirror 6 — @strapi/design-system → @uiw/react-codemirror → codemirror@6.x (JSON fields)
CodeMirror 5 — @strapi/admin, @strapi/content-manager → codemirror5 alias (WYSIWYG / markdown)
Lockfile is correct; jf ca is not
From root package-lock.json:
"node_modules/codemirror5": {
"name": "codemirror",
"version": "5.65.21",
"resolved": "from-private-repo",
"integrity": "sha512-6teYk0bA0nR3QP0ihGMoxuKzpl5W80FpnHpBJpgy66NK3cZv5b/d/HY8PnRvfSsCG1MTfr92u2WUl+wT0E40mQ=="
}
npm ci / npm installsucceed. Only jf ca fails.
Reproduction steps
- Monorepo with containers/cms depending on @strapi/strapi@5.47.x or 5.48.x.
- npm install against curated Artifactory registry.
- Configure jf (jf config add + credentials).
- Run
jf ca --working-dirs=/absolute/path/to/containers/cms --run-native
- Observe 404 HEAD on codemirror5-5.65.21.tgz.
Expected behavior
For npm aliases, jf ca should resolve the real registry package when probing Artifactory, e.g.:
Expected HEAD target:
.../codemirror/-/codemirror-5.65.21.tgz
Read lockfile packages["node_modules/codemirror5"].name → codemirror, or
Use lockfile resolved URL, or
Use npm ls inner name field instead of object key when building dependency.Id.
JFrog CLI version
2.111.0
Operating system type and version
Ubuntu 24.04.4 LTS (Linux 6.17.0-22-generic)
JFrog Artifactory version
No response
JFrog Xray version
No response
Describe the bug
Setup / Environment (for quick triage)
2.111.0(also reproduced on2.109.0)jf ca --working-dirs=<abs-path> --run-native22.14.010.9.2workspacesMonorepo workspaces:
Error (reproduced)
[🚨Error] failed sending HEAD request to
https:///artifactory/api/npm//codemirror5/-/codemirror5-5.65.21.tgz
for package 'codemirror5:5.65.21'. Status-code: 404
Current behavior
Root cause (from JFrog CLI / build-info-go source)
Phase 1 — Dependency tree (build-info-go)
jf ca runs npm ls --json --all --long --package-lock-onlyand parses the tree inparseDependencies:// build-info-go/build/utils/npm.go
npmLsDependency.Name = string(key)// alias KEY, not inner "name"// → dependency.Id = "codemirror5:5.65.21"
For npm aliases, npm ls returns:
build-info-go uses the object key (codemirror5), not the inner name (codemirror).
Graph node id becomes:
npm://codemirror5:5.65.21DownloadUrls (lockfile resolved → URL map) is populated for Python only, not npm (buildinfobom.go).
Phase 2 — URL construction (jfrog-cli-security)
For each node, npm uses node.Id only:
getNpmNameScopeAndVersion(node.Id, artiUrl, repo, ...)→ {ARTIFACTORY}/api/npm/{repo}/{name}/-/{name}-{version}.tgz
For npm://codemirror5:5.65.21 → .../codemirror5/-/codemirror5-5.65.21.tgz → 404
This generated URL triggers:
[🚨Error] failed sending HEAD request to
https:///artifactory/api/npm//codemirror5/-/codemirror5-5.65.21.tgz
for package 'codemirror5:5.65.21'. Status-code: 404
Upstream trigger: Strapi v5 @strapi/admin / @strapi/content-manager
Strapi intentionally uses an npm alias so CodeMirror 5 and 6 can coexist:
"codemirror5": "npm:codemirror@^5.65.11"
CodeMirror 6 — @strapi/design-system → @uiw/react-codemirror → codemirror@6.x (JSON fields)
CodeMirror 5 — @strapi/admin, @strapi/content-manager → codemirror5 alias (WYSIWYG / markdown)
Lockfile is correct; jf ca is not
From root package-lock.json:
npm ci / npm installsucceed. Onlyjf cafails.Reproduction steps
jf ca --working-dirs=/absolute/path/to/containers/cms --run-nativeExpected behavior
For npm aliases, jf ca should resolve the real registry package when probing Artifactory, e.g.:
Expected HEAD target:
.../codemirror/-/codemirror-5.65.21.tgz
Read lockfile packages["node_modules/codemirror5"].name → codemirror, or
Use lockfile resolved URL, or
Use npm ls inner name field instead of object key when building dependency.Id.
JFrog CLI version
2.111.0
Operating system type and version
Ubuntu 24.04.4 LTS (Linux 6.17.0-22-generic)
JFrog Artifactory version
No response
JFrog Xray version
No response