Skip to content

[BUG] npm diff 404s on scoped-package tarballs from a private registry #9769

Description

@danImo-blg

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

This is not just a request to bump a dependency for a CVE

  • This is not solely a request to bump a dependency for a CVE

Current Behavior

npm diff between two versions of a scoped private package fails with a 404

$ npm i @myscope/my-package@1.4.25 @myscope/my-package@1.4.24 --no-save
# succeeds, both tarballs downloaded and cached

$ npm diff --diff=@myscope/my-package@1.4.25 --diff=@myscope/my-package@1.4.24
npm error code E404
npm error 404 Not Found - GET https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope/my-package-1.4.24.tgz - Project not found
npm error 404
npm error 404  The requested resource '...' could not be found or you do not have permission to access it.
npm error 404 This package name is not valid, because
npm error 404  1. name can only contain URL-friendly characters

As far as I can tell, the registry's packument returns a dist.tarball URL where the scope's / is embedded unencoded in the filename path segment. GitLab's project-level package-download route only matches when that slash is percent-encoded (%2f). Confirmed with:

$ curl -H "Authorization: Bearer $TOKEN" \
    "https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope/my-package-1.4.24.tgz"

-> 404

$ curl -H "Authorization: Bearer $TOKEN" \
    "https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope%2fmy-package-1.4.24.tgz"

-> 200

So the raw dist.tarball string from the registry is not directly fetchable — this part could reasonably be argued to be a GitLab bug (or GitLab intentionally expecting clients to normalize/encode path segments). But since npm install for the exact same package/version succeeds against this same registry, this makes this look like an inconsistency inside npm rather than something only a registry-side fix could solve.

Expected Behavior

maybe npm diff should fetch scoped-package tarballs the same way npm install does (whatever encoding/normalization that path applies), so it doesn't regress against registries that install already works against

Steps To Reproduce

Explained in the current behavior entry:
-> npm version: 12.0.1
-> Two package versions deployed in a private package registry
-> npm diff between the two versions
-> npm error 404 Not Found - GET https://gitlab.example.com/api/v4/projects/339/packages/npm/@myscope/my-package/-/@myscope/my-package-1.4.24.tgz - Project not found

Environment

  • npm: 12.0.1
  • Node.js: v26.5.0
  • OS Name: Ubuntu resolute
  • npm config:
; "user" config from /home/me/.npmrc

@myscope:registry = "https://gitlab.example.com/api/v4/packages/npm/"
//gitlab.example.com/api/v4/packages/npm/:_authToken = (protected)
allow-remote = "all"

; node bin location = /usr/bin/node
; node version = v26.5.0
; npm version = 12.0.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions