download packages using https

[beygi]

when we use https://registry.npmjs.org/ or any https server as our main registry , sinopia should download packages using https not http , just like npm itself . i think this is a security issue too

[tcort]

when we use https://registry.npmjs.org/ or any https server as our main registry , sinopia should download packages using https not http

From my testing, it looks like sinopia does download packages via https as long as the url for the npmjs uplink in the config.yaml is the https one:

 info  <-- 192.168.1.123 requested 'GET /wkhtmltox'
 info  --> making request: 'GET https://registry.npmjs.org/wkhtmltox'
 http  --> 200, req: 'GET https://registry.npmjs.org/wkhtmltox', bytes: 0/18739
 debug -=- updating package info
 http  <-- 200, user: undefined, req: 'GET /wkhtmltox', bytes: 0/2564

If you mean that you want sinopia to serve packages over https, then there is already an Issue #71 and Pull Request #162.

[beygi]

yes , but in your sample actual package file is : wkhtmltox-0.11.0.tgz
and it is downloaded using this url :
http://registry.npmjs.org/wkhtmltox/-/wkhtmltox-0.11.0.tgz
not this url :
https://registry.npmjs.org/wkhtmltox/-/wkhtmltox-0.11.0.tgz

standard npm downloads from https link and sinopia's behavior differs from standard npm .
this issue makes sinopia unusable in countries such as iran and china because this countries
filters data transfers over http (https is OK by the way) and when we are using sinopia we are unable
to install packages with dirty names like "hooker" :
https://www.npmjs.org/package/hooker
or sex ! :
https://www.npmjs.org/package/sex
for example as you can see hooker is a dependency for some major packages like "grunt ".

changing this behavior is not a wired thing because standard npm already doing that and i hope sinopia acts like standard npm .

[tcort]

Hmmm interesting, it looks like registry.npmjs.org provides JSON which points to http://

From https://registry.npmjs.org/wkhtmltox :

...
"tarball":"http://registry.npmjs.org/wkhtmltox/-/wkhtmltox-0.11.0.tgz"
...

Digging into the npm code, they fix-up the tarball URL to use the same protocol as the registry. See npm:lib/cache/add-named.js#L174.

[beygi]

exactly and this is what i like to see in sinopia

[Bersam]

I consider this behavior too, it would be great if sinopia use https links instead of http, like npm itself.

[rlidwka]

I believe it was fixed in ed3eb37 and released in Sinopia@1.0.0.

Thanks for reporting!