Enable CORS for the public registry endpoints

[arcanis]

Ref: npm/npm-registry-couchapp#108 (comment); Raising again since I suspect the registry should now already have solid protections against DDoS that it didn't have in 2016.

The registry endpoints don't have CORS headers, requiring to go through a proxy to fetch packages (metadata + tarballs) from a browser. In particular, the two following endpoints would benefit from that:

GET /package-name

It would allow remote websites (for instance a GitHub Page-hosted application) to reference arbitrary metadata from a package (for instance I could use that to print the latest available version for some of my packages, or the author list, or [...]).

GET /package-name/-/package-name.tgz

Similarly, this would allow to build package-related tools without requiring expensive proxies; one classic example would be to display the diff between two packages, similar to this.

Additionally, the next Yarn version may support running within a browser, and having CORS enabled on the package archives themselves would be useful to this effect. It's not blocking, since whether this happen or not we can provide stub packages on our side, but it would be interesting to evaluate how far we could push this experiment.

[simonplend]

The public API endpoints which are available on api.npmjs.org - e.g. for retrieving package download counts - already send CORS response headers. If CORS headers were also added to registry.npmjs.org it would make it straightforward to combine data from both public APIs in client side applications.

As @arcanis has described, adding CORS headers to specific public registry endpoints would really open things up for the community to build awesome things on top of npm data.

[Jolg42]

About the downloads API:
#60 (reply in thread)

[Jolg42]

Looks like CORS headers are missing for the registry indeed https://registry.npmjs.org/prisma

One workaround would be to use npms https://api.npms.io/v2/package/prisma

[bobbui]

would really love this to be supported

[Jolg42]

Maybe a better workaround for now is to have a proxy:

I did a simple one with Cloudflare Workers at https://npm.rapide.workers.dev/prisma
It's a simple proxy to the registry (example https://registry.npmjs.org/prisma)
The code is here https://gist.github.com/Jolg42/6ecfadf6beee644a207220085317dbfe

@simonplend also mentioned a simple and beautiful solution using Netlify's proxy feature https://docs.netlify.com/routing/redirects/rewrites-proxies/#proxy-to-another-service

[jasonkuhrt]

Another option: https://npmjs.cf/

[yanbutan]

Maybe a better workaround for now is to have a proxy:

I did a simple one with Cloudflare Workers at https://npm.rapide.workers.dev/prisma It's a simple proxy to the registry (example https://registry.npmjs.org/prisma) The code is here https://gist.github.com/Jolg42/6ecfadf6beee644a207220085317dbfe

@simonplend also mentioned a simple and beautiful solution using Netlify's proxy feature https://docs.netlify.com/routing/redirects/rewrites-proxies/#proxy-to-another-service

The proxy https://registry.npmjs.org did not work for me but https://npmjs.cf/ did.

[MylesBorins]

Hey All,

I've opened a ticket with our engineering team to discuss this feature request and will get back to y'all

[terinjokes]

Should be resolved now.

[MylesBorins]

FYI we only did a dark ship today to specifically find if anything broke. We are planning full roll out next week

[terinjokes]

I'm curious to know more to be able to determine if I'll be broken again (and what "dark ship" means in this context). Fill free to send me a DM Myles.

[broofa]

@MylesBorins: It looks like not all resources are being served with CORS headers. Is that expected? Specifically, I've got a branch of npmgraph.js.org that I've switched to use registry.npmjs.org (I've historically used @terinjokes's npmjs.cf mirror). Note the broken mime-db request at https://npmgraph-git-npmjshost-npmgraph.vercel.app/?q=request.

[MylesBorins]

shared with engineering team, thanks for letting us know

[jasonkuhrt]

This works for us for now https://npmjs.cf/

[yanbutan]

This should get more upvotes. The only one that worked for me so far. Thanks @jasonkuhrt !

[MylesBorins]

CORS is launched and major issues resolved 🎉

[broofa]

Looks good from npmgraph's end. This is awesome, thank you!

[naruaway]

Hi, I finally made "npm" work in browser (npm-in-browser) thanks to this CORS header 🎉

However, I found that CORS is not enabled for "HTTP 404 Not Found" responses and this is causing a mismatch with real npm CLI in local machines in terms of its observable behavior.

Do you think we can make sure that registry.npmjs.org always returns appropriate CORS headers even for non 200 responses?

I filed an issue in npm-in-browser, which explains more details and reproductions: naruaway/npm-in-browser#1

[broofa]

Yeah, I see this as well on npmgraph:

[broofa]

@MylesBorins Is this on your radar? Seems like this is pretty clearly a bug.