This repository was archived by the owner on Aug 12, 2025. It is now read-only.
This repository was archived by the owner on Aug 12, 2025. It is now read-only.
npm package-spec aliases are not handled correctly #859
Description
npm package-spec allows for aliases: https://docs.npmjs.com/cli/v9/using-npm/package-spec?v=true#aliases
This allows a dependency block to look like:
"dependencies": {
"string-width": "^5.1.2",
"string-width-cjs": "npm:string-width@^4.2.0",
},The corresponding package-lock.json will then look like:
"node_modules/@isaacs/cliui": {
"version": "8.0.2",
"resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
"integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==",
"dev": true,
"dependencies": {
"string-width": "^5.1.2",
"string-width-cjs": "npm:string-width@^4.2.0",
},
"engines": {
"node": ">=12"
}
},and the reference then looks like:
"node_modules/string-width-cjs": {
"name": "string-width",
"version": "4.2.3",
"resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
"integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
"dev": true,
"dependencies": {
"emoji-regex": "^8.0.0",
"is-fullwidth-code-point": "^3.0.0",
"strip-ansi": "^6.0.1"
},
"engines": {
"node": ">=8"
}
},but cachito is attempting to download string-width-cjs@npm:string-width-4.2.3.tgz which will not exist in npmjs.
Cachito should follow the alias before downloading.