Fixes registry used to check for deprecation settings (#5534)

**What's the problem this PR addresses?**

The new `yarn npm audit` implementation checks the packages' metadata on
the audit server rather than the server configured to serve their
metadata.

Closes #5533 

**How did you fix it?**

Updated the code to use the new `getPackageMetadata` function, which
should use the proper server while also leveraging the cache if
possible.

**Checklist**
<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [x] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [x] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [x] I will check that all automated PR checks pass before the PR gets
reviewed.

Author: arcanis

.yarn/versions/3da18857.yml

@@ -0,0 +1,24 @@
+releases:
+  "@yarnpkg/cli": patch
+  "@yarnpkg/plugin-npm": patch
+  "@yarnpkg/plugin-npm-cli": patch
+
+declined:
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/plugin-constraints"
+  - "@yarnpkg/plugin-dlx"
+  - "@yarnpkg/plugin-essentials"
+  - "@yarnpkg/plugin-init"
+  - "@yarnpkg/plugin-interactive-tools"
+  - "@yarnpkg/plugin-nm"
+  - "@yarnpkg/plugin-pack"
+  - "@yarnpkg/plugin-patch"
+  - "@yarnpkg/plugin-pnp"
+  - "@yarnpkg/plugin-pnpm"
+  - "@yarnpkg/plugin-stage"
+  - "@yarnpkg/plugin-typescript"
+  - "@yarnpkg/plugin-version"
+  - "@yarnpkg/plugin-workspace-tools"
+  - "@yarnpkg/builder"
+  - "@yarnpkg/core"
+  - "@yarnpkg/doctor"

packages/acceptance-tests/pkg-tests-core/sources/utils/tests.ts

@@ -1,4 +1,4 @@
-import {semverUtils}                                           from '@yarnpkg/core';
+import {miscUtils, semverUtils}                                from '@yarnpkg/core';
 import {PortablePath, npath, toFilename, xfs, ppath, Filename} from '@yarnpkg/fslib';
 import {npmAuditTypes}                                         from '@yarnpkg/plugin-npm-cli';
 import assert                                                  from 'assert';
@@ -60,27 +60,33 @@ export enum RequestType {
 }
 
 export type Request = {
+  registry?: string;
   type: RequestType.Login;
   username: string;
 } | {
+  registry?: string;
   type: RequestType.PackageInfo;
   scope?: string;
   localName: string;
 } | {
+  registry?: string;
   type: RequestType.PackageTarball;
   scope?: string;
   localName: string;
   version?: string;
 } | {
+  registry?: string;
   type: RequestType.Whoami;
   login: Login;
 } | {
   type: RequestType.Repository;
 } | {
+  registry?: string;
   type: RequestType.Publish;
   scope?: string;
   localName: string;
 } | {
+  registry?: string;
   type: RequestType.BulkAdvisories;
 };
 
@@ -160,6 +166,12 @@ export const validLogins = {
 let whitelist = new Map();
 let recording: Array<Request> | null = null;
 
+export function sortJson<T>(data: Iterable<T>): Array<T> {
+  return miscUtils.sortMap(data, request => {
+    return JSON.stringify(request);
+  });
+}
+
 export const startRegistryRecording = async (
   fn: () => Promise<void>,
 ) => {
@@ -573,51 +585,65 @@ export const startPackageServer = ({type}: { type: keyof typeof packageServerUrl
       return {
         type: RequestType.Repository,
       };
-    } else if ((match = url.match(/^\/-\/user\/org\.couchdb\.user:(.+)/))) {
-      const [, username] = match;
-
-      return {
-        type: RequestType.Login,
-        username,
-      };
-    } else if (url === `/-/whoami`) {
-      return {
-        type: RequestType.Whoami,
-        // Set later when login is parsed
-        login: null as any,
-      };
-    } else if (url === `/-/npm/v1/security/advisories/bulk`) {
-      return {
-        type: RequestType.BulkAdvisories,
-      };
-    } else if ((match = url.match(/^\/(?:(@[^/]+)\/)?([^@/][^/]*)$/)) && method == `PUT`) {
-      const [, scope, localName] = match;
-
-      return {
-        type: RequestType.Publish,
-        scope,
-        localName,
-      };
-    } else if ((match = url.match(/^\/(?:(@[^/]+)\/)?([^@/][^/]*)$/))) {
-      const [, scope, localName] = match;
-
-      return {
-        type: RequestType.PackageInfo,
-        scope,
-        localName,
-      };
-    } else if ((match = url.match(/^\/(?:(@[^/]+)\/)?([^@/][^/]*)\/(-|tralala)\/\2-(.*)\.tgz$/))) {
-      const [, scope, localName, split, version] = match;
+    } else {
+      let registry: {registry: string} | undefined;
+      if ((match = url.match(/^\/registry\/([a-z]+)\//))) {
+        url = url.slice(match[0].length - 1);
+        registry = {registry: match[1]};
+      }
 
-      if ((localName === `unconventional-tarball` || localName === `private-unconventional-tarball`) && split === `-`)
-        return null;
+      if ((match = url.match(/^\/-\/user\/org\.couchdb\.user:(.+)/))) {
+        const [, username] = match;
 
-      return {
-        type: RequestType.PackageTarball,
-        scope,
-        localName,
-        version,
-      };
+        return {
+          ...registry,
+          type: RequestType.Login,
+          username,
+        };
+      } else if (url === `/-/whoami`) {
+        return {
+          ...registry,
+          type: RequestType.Whoami,
+          // Set later when login is parsed
+          login: null as any,
+        };
+      } else if (url === `/-/npm/v1/security/advisories/bulk`) {
+        return {
+          ...registry,
+          type: RequestType.BulkAdvisories,
+        };
+      } else if ((match = url.match(/^\/(?:(@[^/]+)\/)?([^@/][^/]*)$/)) && method == `PUT`) {
+        const [, scope, localName] = match;
+
+        return {
+          ...registry,
+          type: RequestType.Publish,
+          scope,
+          localName,
+        };
+      } else if ((match = url.match(/^\/(?:(@[^/]+)\/)?([^@/][^/]*)$/))) {
+        const [, scope, localName] = match;
+
+        return {
+          ...registry,
+          type: RequestType.PackageInfo,
+          scope,
+          localName,
+        };
+      } else if ((match = url.match(/^\/(?:(@[^/]+)\/)?([^@/][^/]*)\/(-|tralala)\/\2-(.*)\.tgz$/))) {
+        const [, scope, localName, split, version] = match;
+
+        if ((localName === `unconventional-tarball` || localName === `private-unconventional-tarball`) && split === `-`)
+          return null;
+
+        return {
+          ...registry,
+          type: RequestType.PackageTarball,
+          scope,
+          localName,
+          version,
+        };
+      }
     }
 
     return null;

packages/acceptance-tests/pkg-tests-specs/sources/commands/npm/audit.test.ts

@@ -1,4 +1,5 @@
 import {Filename, ppath, xfs} from '@yarnpkg/fslib';
+import {tests}                from 'pkg-tests-core';
 
 describe(`Commands`, () => {
   describe(`npm audit`, () => {
@@ -181,15 +182,31 @@ describe(`Commands`, () => {
     );
 
     test(
-      `it should report deprecations as audit issues`,
+      `it should perform the deprecation checks against the package registry, not the audit registry`,
       makeTemporaryEnv({
         dependencies: {
           [`no-deps-deprecated`]: `1.0.0`,
         },
       }, async ({path, run, source}) => {
+        await xfs.writeJsonPromise(ppath.join(path, Filename.rc), {
+          npmAuditRegistry: `${await tests.startPackageServer()}/registry/audit`,
+        });
+
         await run(`install`);
 
-        await expect(run(`npm`, `audit`)).rejects.toThrow(/no-deps-deprecated \(deprecation\)/);
+        const requests = await tests.startRegistryRecording(async () => {
+          await expect(run(`npm`, `audit`)).rejects.toThrow(/no-deps-deprecated \(deprecation\)/);
+        });
+
+        expect(tests.sortJson(requests)).toEqual([{
+          registry: `audit`,
+          type: `bulkAdvisories`,
+        }, {
+          registry: undefined,
+          scope: undefined,
+          localName: `no-deps-deprecated`,
+          type: `packageInfo`,
+        }]);
       }),
     );
 

packages/acceptance-tests/pkg-tests-specs/sources/commands/stage.test.js

@@ -48,7 +48,7 @@ describe(`Commands`, () => {
         await expect(run(`stage`, `-n`, {cwd: path})).resolves.toMatchObject({
           stdout: [
             `${npath.fromPortablePath(`${path}/.pnp.cjs`)}\n`,
-            `${npath.fromPortablePath(`${path}/.yarn/global/metadata/npm/b98544/localhost/no-deps.json`)}\n`,
+            `${npath.fromPortablePath(`${path}/.yarn/global/metadata/npm/3fb1ad/localhost/no-deps.json`)}\n`,
             `${npath.fromPortablePath(`${path}/.yarn/global/cache/no-deps-npm-1.0.0-cf533b267a-0.zip`)}\n`,
             `${npath.fromPortablePath(`${path}/.yarn/cache/.gitignore`)}\n`,
             `${npath.fromPortablePath(`${path}/.yarn/cache/no-deps-npm-1.0.0-cf533b267a-af041f19ff.zip`)}\n`,

packages/plugin-npm-cli/sources/commands/npm/audit.ts

@@ -1,5 +1,6 @@
 import {BaseCommand, WorkspaceRequiredError}                                                                                     from '@yarnpkg/cli';
 import {Configuration, Project, MessageName, treeUtils, LightReport, StreamReport, semverUtils, LocatorHash, Locator, miscUtils} from '@yarnpkg/core';
+import {structUtils}                                                                                                             from '@yarnpkg/core';
 import {npmConfigUtils, npmHttpUtils}                                                                                            from '@yarnpkg/plugin-npm';
 import {Command, Option, Usage}                                                                                                  from 'clipanion';
 import micromatch                                                                                                                from 'micromatch';
@@ -131,17 +132,9 @@ export default class NpmAuditCommand extends BaseCommand {
       }) as unknown as Promise<npmAuditTypes.AuditResponse>;
 
       const deprecations = await Promise.all(this.noDeprecations ? [] : Array.from(packages, async ([packageName, versions]) => {
-        const registryData = await npmHttpUtils.get(`/${packageName}`, {
-          configuration,
-          jsonResponse: true,
-          registry,
-          headers: {
-            [`Accept`]: `application/vnd.npm.install-v1+json`,
-          },
-        }) as any;
-
-        if (!Object.prototype.hasOwnProperty.call(registryData, `versions`))
-          return [];
+        const registryData = await npmHttpUtils.getPackageMetadata(structUtils.parseIdent(packageName), {
+          project,
+        });
 
         return miscUtils.mapAndFilter(versions.keys(), version => {
           const {deprecated} = registryData.versions[version];

packages/plugin-npm/sources/npmHttpUtils.ts

@@ -170,11 +170,6 @@ type CachedMetadata = {
   lastModified?: string;
 };
 
-export type PackageMetadata = {
-  'dist-tags': Record<string, string>;
-  versions: Record<string, any>;
-};
-
 const CACHED_FIELDS = [
   `name`,
 
@@ -193,14 +188,27 @@ const CACHED_FIELDS = [
 
   `peerDependencies`,
   `peerDependenciesMeta`,
-];
+
+  `deprecated`,
+] as const;
+
+export type PackageMetadata = {
+  'dist-tags': Record<string, string>;
+  versions: Record<string, {
+    [key in typeof CACHED_FIELDS[number]]: any;
+  } & {
+    dist: {
+      tarball: string;
+    };
+  }>;
+};
 
 function pickPackageMetadata(metadata: PackageMetadata): PackageMetadata {
   return {
     'dist-tags': metadata[`dist-tags`],
     versions: Object.fromEntries(Object.entries(metadata.versions).map(([key, value]) => [
       key,
-      pick(value, CACHED_FIELDS),
+      pick(value, CACHED_FIELDS) as any,
     ])),
   };
 }