fix(npm): don’t authorize public non-scoped packages

The authorization header can interfere with caching because npmjs doesn’t return “public” in the “Cache-Control” header.

fix(npm): don’t authorize public non-scoped packages
3d1a715d · Rhys Arkins · 9b3f4b90 · 3d1a715d
Commit 3d1a715d authored 6 years ago by Rhys Arkins
--- a/lib/datasource/npm.js
+++ b/lib/datasource/npm.js
@@ -163,6 +163,16 @@ async function getDependency(name, retries = 5) {
    headers.authorization = `Bearer ${process.env.NPM_TOKEN}`;
  }

+  if (
+    pkgUrl.startsWith('https://registry.npmjs.org') &&
+    !pkgUrl.startsWith('https://registry.npmjs.org/@')
+  ) {
+    // Delete the authorization header for non-scoped public packages to improve http caching
+    // Otherwise, authenticated requests are not cacheable until the registry adds "public" to Cache-Control
+    // Ref: https://greenbytes.de/tech/webdav/rfc7234.html#caching.authenticated.responses
+    delete headers.authorization;
+  }
+
  // Retrieve from API if not cached
  try {
    const raw = await got(pkgUrl, {