From 3d1a715d2bfe98657cefe80ef522c96d6bf21272 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Wed, 22 Aug 2018 09:50:05 +0200
Subject: [PATCH] =?UTF-8?q?fix(npm):=20don=E2=80=99t=20authorize=20public?=
 =?UTF-8?q?=20non-scoped=20packages?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The authorization header can interfere with caching because npmjs doesn’t return “public” in the “Cache-Control” header.
---
 lib/datasource/npm.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/datasource/npm.js b/lib/datasource/npm.js
index 317d90f4cc..2625fe6bde 100644
--- a/lib/datasource/npm.js
+++ b/lib/datasource/npm.js
@@ -163,6 +163,16 @@ async function getDependency(name, retries = 5) {
     headers.authorization = `Bearer ${process.env.NPM_TOKEN}`;
   }
 
+  if (
+    pkgUrl.startsWith('https://registry.npmjs.org') &&
+    !pkgUrl.startsWith('https://registry.npmjs.org/@')
+  ) {
+    // Delete the authorization header for non-scoped public packages to improve http caching
+    // Otherwise, authenticated requests are not cacheable until the registry adds "public" to Cache-Control
+    // Ref: https://greenbytes.de/tech/webdav/rfc7234.html#caching.authenticated.responses
+    delete headers.authorization;
+  }
+
   // Retrieve from API if not cached
   try {
     const raw = await got(pkgUrl, {
-- 
GitLab