Component
Other: npm package postinstall fallback
Description
npm/src/install.mjs intends to reject non-local http:// registry and tarball URLs unless ALLOW_INSECURE_REGISTRY=true is set. The rejection is currently thrown inside a broad try block and then swallowed by the matching catch, so the guard silently accepts the same insecure HTTP URLs it is meant to reject.
The affected path is the manual fallback downloader used when the platform-specific optional dependency is unavailable. Registry configuration, registry metadata, and redirects all pass through makeRequest, which calls ensureSecureUrl before selecting NodeHttp or NodeHttps.
Minimal reproduction of the current guard behavior:
function ensureSecureUrl(urlString, purpose) {
try {
const url = new URL(urlString)
if (url.protocol === 'http:') {
const allowInsecure = process.env.ALLOW_INSECURE_REGISTRY === 'true'
if (!['localhost', '127.0.0.1', '::1'].includes(url.hostname) && !allowInsecure) {
throw new Error(`Refusing to use insecure HTTP for ${purpose}: ${urlString}`)
}
}
} catch {
}
}
ensureSecureUrl('http://example.com/@foundry-rs/forge', 'registry URL')
// acceptedExpected behavior:
- non-local
http:// URLs are rejected by default
http://localhost, http://127.0.0.1, and http://[::1] remain valid for local registry developmentALLOW_INSECURE_REGISTRY=true remains an explicit override- invalid URL strings can still fall through to the request layer as before
Version
Current master at 57755895027876db34b5bf4bcc7473cb949cd9c7.
Operating System
All platforms.
Component
Other: npm package postinstall fallback
Description
npm/src/install.mjsintends to reject non-localhttp://registry and tarball URLs unlessALLOW_INSECURE_REGISTRY=trueis set. The rejection is currently thrown inside a broadtryblock and then swallowed by the matchingcatch, so the guard silently accepts the same insecure HTTP URLs it is meant to reject.The affected path is the manual fallback downloader used when the platform-specific optional dependency is unavailable. Registry configuration, registry metadata, and redirects all pass through
makeRequest, which callsensureSecureUrlbefore selectingNodeHttporNodeHttps.Minimal reproduction of the current guard behavior:
Expected behavior:
http://URLs are rejected by defaulthttp://localhost,http://127.0.0.1, andhttp://[::1]remain valid for local registry developmentALLOW_INSECURE_REGISTRY=trueremains an explicit overrideVersion
Current
masterat57755895027876db34b5bf4bcc7473cb949cd9c7.Operating System
All platforms.