Skip to content

[curation audit] jf ca fails with 404 for npm alias packages (e.g. codemirror5 → codemirror@5.x) #3582

Description

@ashish-antuit

Describe the bug

Setup / Environment (for quick triage)

Item Value
JFrog CLI 2.111.0 (also reproduced on 2.109.0)
Command jf ca --working-dirs=<abs-path> --run-native
OS Ubuntu 24.04.4 LTS (Linux 6.17.0-22-generic)
Node 22.14.0
npm 10.9.2
Project type npm monorepo with root workspaces
Registry JFrog Artifactory npm virtual repo with Curation enabled
Issue observed in curated package Strapi CMS
Strapi package version 5.48.1 (any v5 version)

Monorepo workspaces:

"workspaces": [
  "containers/frontend",
  "containers/backend",
  "containers/cms",
  "containers/jobs"
]

Error (reproduced)

[🚨Error] failed sending HEAD request to
https:///artifactory/api/npm//codemirror5/-/codemirror5-5.65.21.tgz
for package 'codemirror5:5.65.21'. Status-code: 404

Current behavior

Root cause (from JFrog CLI / build-info-go source)

Phase 1 — Dependency tree (build-info-go)
jf ca runs npm ls --json --all --long --package-lock-only and parses the tree in parseDependencies:

// build-info-go/build/utils/npm.go
npmLsDependency.Name = string(key) // alias KEY, not inner "name"
// → dependency.Id = "codemirror5:5.65.21"
For npm aliases, npm ls returns:

"codemirror5": {
  "name": "codemirror",
  "version": "5.65.21",
  "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.65.21.tgz"
}

build-info-go uses the object key (codemirror5), not the inner name (codemirror).
Graph node id becomes: npm://codemirror5:5.65.21

DownloadUrls (lockfile resolved → URL map) is populated for Python only, not npm (buildinfobom.go).

Phase 2 — URL construction (jfrog-cli-security)
For each node, npm uses node.Id only:

getNpmNameScopeAndVersion(node.Id, artiUrl, repo, ...)
{ARTIFACTORY}/api/npm/{repo}/{name}/-/{name}-{version}.tgz
For npm://codemirror5:5.65.21 → .../codemirror5/-/codemirror5-5.65.21.tgz → 404

This generated URL triggers:
[🚨Error] failed sending HEAD request to
https:///artifactory/api/npm//codemirror5/-/codemirror5-5.65.21.tgz
for package 'codemirror5:5.65.21'. Status-code: 404

Upstream trigger: Strapi v5 @strapi/admin / @strapi/content-manager
Strapi intentionally uses an npm alias so CodeMirror 5 and 6 can coexist:

"codemirror5": "npm:codemirror@^5.65.11"
CodeMirror 6 — @strapi/design-system → @uiw/react-codemirror → codemirror@6.x (JSON fields)
CodeMirror 5 — @strapi/admin, @strapi/content-manager → codemirror5 alias (WYSIWYG / markdown)

Lockfile is correct; jf ca is not
From root package-lock.json:

"node_modules/codemirror5": {
  "name": "codemirror",
  "version": "5.65.21",
  "resolved": "from-private-repo",
  "integrity": "sha512-6teYk0bA0nR3QP0ihGMoxuKzpl5W80FpnHpBJpgy66NK3cZv5b/d/HY8PnRvfSsCG1MTfr92u2WUl+wT0E40mQ=="
}

npm ci / npm installsucceed. Only jf ca fails.

Reproduction steps

  1. Monorepo with containers/cms depending on @strapi/strapi@5.47.x or 5.48.x.
  2. npm install against curated Artifactory registry.
  3. Configure jf (jf config add + credentials).
  4. Run jf ca --working-dirs=/absolute/path/to/containers/cms --run-native
  5. Observe 404 HEAD on codemirror5-5.65.21.tgz.

Expected behavior

For npm aliases, jf ca should resolve the real registry package when probing Artifactory, e.g.:

Expected HEAD target:
.../codemirror/-/codemirror-5.65.21.tgz

Read lockfile packages["node_modules/codemirror5"].name → codemirror, or
Use lockfile resolved URL, or
Use npm ls inner name field instead of object key when building dependency.Id.

JFrog CLI version

2.111.0

Operating system type and version

Ubuntu 24.04.4 LTS (Linux 6.17.0-22-generic)

JFrog Artifactory version

No response

JFrog Xray version

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions