Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
npm diff between two versions of a scoped private package fails with a 404
$ npm i @myscope/my-package@1.4.25 @myscope/my-package@1.4.24 --no-save
# succeeds, both tarballs downloaded and cached
$ npm diff --diff=@myscope/my-package@1.4.25 --diff=@myscope/my-package@1.4.24
npm error code E404
npm error 404 Not Found - GET https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope/my-package-1.4.24.tgz - Project not found
npm error 404
npm error 404 The requested resource '...' could not be found or you do not have permission to access it.
npm error 404 This package name is not valid, because
npm error 404 1. name can only contain URL-friendly characters
As far as I can tell, the registry's packument returns a dist.tarball URL where the scope's / is embedded unencoded in the filename path segment. GitLab's project-level package-download route only matches when that slash is percent-encoded (%2f). Confirmed with:
$ curl -H "Authorization: Bearer $TOKEN" \
"https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope/my-package-1.4.24.tgz"
-> 404
$ curl -H "Authorization: Bearer $TOKEN" \
"https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope%2fmy-package-1.4.24.tgz"
-> 200
So the raw dist.tarball string from the registry is not directly fetchable — this part could reasonably be argued to be a GitLab bug (or GitLab intentionally expecting clients to normalize/encode path segments). But since npm install for the exact same package/version succeeds against this same registry, this makes this look like an inconsistency inside npm rather than something only a registry-side fix could solve.
Expected Behavior
maybe npm diff should fetch scoped-package tarballs the same way npm install does (whatever encoding/normalization that path applies), so it doesn't regress against registries that install already works against
Steps To Reproduce
Explained in the current behavior entry:
-> npm version: 12.0.1
-> Two package versions deployed in a private package registry
-> npm diff between the two versions
-> npm error 404 Not Found - GET https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope/my-package-1.4.24.tgz - Project not found
Environment
- npm: 12.0.1
- Node.js: v26.5.0
- OS Name: Ubuntu resolute
- npm config:
; "user" config from /home/me/.npmrc
@myscope:registry = "https://gitlab.example.com/api/v4/packages/npm/"
//gitlab.example.com/api/v4/packages/npm/:_authToken = (protected)
allow-remote = "all"
; node bin location = /usr/bin/node
; node version = v26.5.0
; npm version = 12.0.1
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
npm diffbetween two versions of a scoped private package fails with a 404As far as I can tell, the registry's packument returns a
dist.tarballURL where the scope's/is embedded unencoded in the filename path segment. GitLab's project-level package-download route only matches when that slash is percent-encoded (%2f). Confirmed with:-> 404
-> 200
So the raw
dist.tarballstring from the registry is not directly fetchable — this part could reasonably be argued to be a GitLab bug (or GitLab intentionally expecting clients to normalize/encode path segments). But sincenpm installfor the exact same package/version succeeds against this same registry, this makes this look like an inconsistency inside npm rather than something only a registry-side fix could solve.Expected Behavior
maybe
npm diffshould fetch scoped-package tarballs the same waynpm installdoes (whatever encoding/normalization that path applies), so it doesn't regress against registries thatinstallalready works againstSteps To Reproduce
Explained in the current behavior entry:
-> npm version: 12.0.1
-> Two package versions deployed in a private package registry
-> npm diff between the two versions
->
npm error 404 Not Found - GET https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope/my-package-1.4.24.tgz - Project not foundEnvironment