Fails to fetch some files when using private registry

[radicand]

What version of Bun is running?

0.5.8

What platform is your computer?

Darwin 22.3.0 arm64 arm

What steps can reproduce the bug?

1. Configure bun to use a private registry per documentation
2. bun install

What is the expected behavior?

Packages to install normally as expected

What do you see instead?

Most packages install, however a few receive errors like:

bun install v0.5.8 (1a25af5e)
  🔍 Resolving... 
GET https://REDACTED.s3.amazonaws.com/REDACTED/filestore/REDACTED?X-Artifactory-username=REDACTED&X-Artifactory-repoType=local&X-Artifactory-repositoryKey=REDACTED&X-Artifactory-packageType=npm&X-Artifactory-artifactPath=%40REDACTED%2F-%2F%40REDACTED-0.9.1.tgz&X-Artifactory-projectKey=default&x-jf-traceId=REDACTED&response-content-disposition=attachment%3Bfilename%3D%22REDACTED-0.9.1.tgz%22&response-content-type=application%2Fx-gzip&X-Amz-Security-Token=REDACTED&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=REDACTED&X-Amz-SignedHeaders=host&X-Amz-Expires=120&X-Amz-Credential=REDACTED&X-Amz-Signature=REDACTED - 400

Additional information

If I manually curl the URL shown in the error, it works fine and downloads a file (tgz). I am unable to determine why this errors in bun and why there's a 400 associated in the error line. I've attempted to include all the URL parameters, though many are redacted for security reasons. Hopefully this helps.

This same package.json works fine with node/npm install.

[privatenumber]

Can you see if bun install --verbose will provide more insight?

[radicand]

That gives the following:

  🔍 Resolving...
error: ConnectionClosed downloading tarball @[email protected]
  🔍 Resolving...
GET ... 400

The items that show up in the ConnectionClosed and 400 are different in the error message, but if run again, sometimes they show up as the oneliner or the GET error.

[radicand]

Any suggestions for how to troubleshoot this or get more details (e.g., body of the 400)?

[radicand]

This is still present in canary, please consider re-opening.

the --verbose flag does not offer any hints or clues currently - the ConnectionClosed error is gone/disappeared.

[iantocristian]

Same issue, error 400 downloading packages from private registry GET https://abc.s3.eu-west-1.amazonaws.com/...?X-Amz-Algorithm=AWS4-HMAC-SHA256&... with github package registry

Urls are ok, work fine with curl.

[lilfaf]

Same for me, 400 bad requests when pulling from S3 but the curl request is working just fine using the same URL.

It seems related with: #643

[AndriiZelenskyi]

It fails for me, too, when working with the JFrog as a private registry. I can see from the URL structure that the original error was related to the JFrog as well. It might be related to the way the HTTP client handles the redirects from the resource URL to the AWS bucket.

JFrog says that it happens when two authentication types are involved.

Typically, only one authentication method is applied (bearer or basic). This error occurs because both are in play. As a result, Artifactory-bound authentication is incorrectly forwarded to Amazon's S3 service.

Currently, this issue blocks us from using it in production.

Here is a source for this assumption: https://jfrog.com/help/r/artifactory-how-to-resolve-a-400-bad-request-error-when-trying-to-download-or-resolve-artifacts/artifactory-how-to-resolve-a-400-bad-request-error-when-trying-to-download-or-resolve-artifacts

P.S. Not all requests are failed. Only a small percentage.

[idobbins]

I'm running into 400 errors when trying to pull from a private npm registry. It looks to me that the forward slash is not being encoded in the way AWS codeartifact expects.

This is the line of output from bun install. (Doing bun install --verbose blows up my terminal with more text than I know what to do with. grep cannot save me here. Fortunately the default output is enough)

GET https://<private-url-root>.d.codeartifact.us-east-1.amazonaws.com/npm/<Organization>/@<organization>/<package-name> - 400

comparatively, npm outputs this

npm http fetch GET 200 https://<private-url-root>.d.codeartifact.us-east-1.amazonaws.com/npm/<Organization>/@<organization>%2f<package-name> (cache updated)

my bunfig.toml looks like this

[install.scopes]
"@<organization>"= { url = "https://<private-url-root>.d.codeartifact.us-east-1.amazonaws.com/npm/<Organization>", token="$<token-as-env-var>" }

Everything else seems to install fine out of the box, but this is a bit of a show-stopper.

[Jarred-Sumner]

This should've been fixed in Bun v1.0.3 (released 10 days ago)

Please leave a comment if you still see it