[Node16]: Tarball Corrupted on private package install

Context:
We’re upgrading from Node 14(NPM6) to Node 16(NPM8) which also means upgrading our CI setup from Fermium to Gallium. This setup fully worked on Node14(NPM6).

  • Upon updating our .gitlab-ci.yml, one of our private package stored on a Gitlab repo and accessed through a deploy token is failing to install.
  • Running a simple stage with npm install(or even npm install with the direct link) yields this error:
    npm WARN tarball tarball data for (PRIVATE_REPO_URL_A) (null) seems to be corrupted. Trying again.
  • What version are you on? Are you using self-managed or GitLab.com?
      • GitLab Enterprise Edition 15.2.0-pre*
Note: Issue is with PRIVATE_REPO_URL_A, not the "B"

// .npmrc
@PRIVATE_URL_B
//PRIVATE_URL_B/packages/npm/:_authToken=${CI_JOB_TOKEN}

// .gitlab-ci.yml
npmSample:
    image: node:gallium-alpine
    script:
        - cp ci.npmrc .npmrc
        - npm install (PRIVATE_REPO_URL_A)
  • We’ve worked in attempting to add PRIVATE_REPO_URL_A to the .npmrc file, fails
  • We’ve tried triggering a different error to get a reaction(e.g: different token, to get a 401) it keeps returning the same error
  • We’ve tried aiming a Node 16 branch on the private repo to maintain compatibility, same error
  • We’ve tried dockerizing the entire process, same error

Thank you for giving a hand, this process has been really, painful.

Mention 01: PRIVATE_REPO_URL is our actual url, I’m just replacing it in the context of sharing details here.

Mention 02: Tested locally using the gitlab runner

I had the same thing happening. npm ci was failing for private repo/dep pulled over ssh with the tarball data for ... seems to be corrupted. Trying again. message.

Changed the job image from node:16-bullseye-slim to node:16.15 and the problem “magically” disappeared.

I would also love to know what is causing this. Doesn’t look like we are using the same images.

I made sure I wasn’t caching node_modules between jobs just in case there were a difference in the images.

Some other forums recommend force clearing the npm cache before doing npm ci but I also tried disabling the cache and saw in the verbose npm ci log that every package was (cache miss) and fetched… but maybe something different is happening with npm install of a package directly from git in terms of caching somewhere.

Delete the package-lock.json and run npm install
So it looks like when you have already installed a package, there is a crc of the package in the package-lock.json, when you re-install the same package, npm checks if the tarball file provided have the same crc than the previous, since it’s the same version