fix(datasource/npm): cache public modules (#20815)

Co-authored-by: Michael Kriese <michael.kriese@visualon.de> Co-authored-by: Sebastian Poxhofer <secustor@users.noreply.github.com>

fix(datasource/npm): cache public modules (#20815)
a7299872 · Rhys Arkins · GitHub · a3cc159f · a7299872 · a7299872
Unverified Commit a7299872 authored Mar 9, 2023 by Rhys Arkins Committed by GitHub Mar 9, 2023
--- a/lib/modules/datasource/npm/__snapshots__/index.spec.ts.snap
+++ b/lib/modules/datasource/npm/__snapshots__/index.spec.ts.snap
@@ -2,6 +2,7 @@
 exports[`modules/datasource/npm/index should fetch package info from custom registry 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://npm.mycustomregistry.com",
  "releases": [
@@ -25,6 +26,7 @@ exports[`modules/datasource/npm/index should fetch package info from custom regi
 exports[`modules/datasource/npm/index should fetch package info from npm 1`] = `
 {
+  "isPrivate": false,
  "name": "foobar",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -48,6 +50,7 @@ exports[`modules/datasource/npm/index should fetch package info from npm 1`] = `
 exports[`modules/datasource/npm/index should handle foobar 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -71,6 +74,7 @@ exports[`modules/datasource/npm/index should handle foobar 1`] = `
 exports[`modules/datasource/npm/index should handle no time 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -93,6 +97,7 @@ exports[`modules/datasource/npm/index should handle no time 1`] = `
 exports[`modules/datasource/npm/index should not send an authorization header if public package 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -116,6 +121,7 @@ exports[`modules/datasource/npm/index should not send an authorization header if
 exports[`modules/datasource/npm/index should parse repo url (string) 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -134,6 +140,7 @@ exports[`modules/datasource/npm/index should parse repo url (string) 1`] = `
 exports[`modules/datasource/npm/index should parse repo url 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -152,6 +159,7 @@ exports[`modules/datasource/npm/index should parse repo url 1`] = `
 exports[`modules/datasource/npm/index should replace any environment variable in npmrc 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://registry.from-env.com",
  "releases": [
@@ -181,6 +189,7 @@ exports[`modules/datasource/npm/index should return deprecated 1`] = `
 Marking the latest version of an npm package as deprecated results in the entire package being considered deprecated, so contact the package author you think this is a mistake.",
  "deprecationSource": "npm",
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -212,6 +221,7 @@ Marking the latest version of an npm package as deprecated results in the entire
 exports[`modules/datasource/npm/index should send an authorization header if provided 1`] = `
 {
+  "isPrivate": true,
  "name": "@foobar/core",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -235,6 +245,7 @@ exports[`modules/datasource/npm/index should send an authorization header if pro
 exports[`modules/datasource/npm/index should use default registry if missing from npmrc 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://registry.npmjs.org",
  "releases": [
@@ -258,6 +269,7 @@ exports[`modules/datasource/npm/index should use default registry if missing fro
 exports[`modules/datasource/npm/index should use host rules by baseUrl if provided 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://npm.mycustomregistry.com/_packaging/mycustomregistry/npm/registry",
  "releases": [
@@ -281,6 +293,7 @@ exports[`modules/datasource/npm/index should use host rules by baseUrl if provid
 exports[`modules/datasource/npm/index should use host rules by hostName if provided 1`] = `
 {
+  "isPrivate": true,
  "name": "foobar",
  "registryUrl": "https://npm.mycustomregistry.com",
  "releases": [

--- a/lib/modules/datasource/npm/get.ts
+++ b/lib/modules/datasource/npm/get.ts
@@ -171,19 +171,12 @@ export async function getDependency(
      return release;
    });
    logger.trace({ dep }, 'dep');
-    // serialize first before saving
+    const cacheControl = raw.headers?.['cache-control'];
-    // TODO: use dynamic detection of public repos instead of a static list (#9587)
-    const whitelistedPublicScopes = [
-      '@graphql-codegen',
-      '@storybook',
-      '@types',
-      '@typescript-eslint',
-    ];
    if (
-      !raw.authorization &&
+      is.nonEmptyString(cacheControl) &&
-      (whitelistedPublicScopes.includes(packageName.split('/')[0]) ||
+      regEx(/(^|,)\s*public\s*(,|$)/).test(cacheControl)
-        !packageName.startsWith('@'))
    ) {
+      dep.isPrivate = false;
      const cacheData = { softExpireAt, etag };
      await packageCache.set(
        cacheNamespace,
@@ -191,6 +184,8 @@ export async function getDependency(
        { ...dep, cacheData },
        etag ? cacheHardTtlMinutes : cacheMinutes
      );
+    } else {
+      dep.isPrivate = true;
    }
    return dep;
  } catch (err) {

--- a/lib/modules/datasource/npm/index.spec.ts
+++ b/lib/modules/datasource/npm/index.spec.ts
@@ -64,9 +64,10 @@ describe('modules/datasource/npm/index', () => {
    httpMock
      .scope('https://registry.npmjs.org')
      .get('/foobar')
-      .reply(200, npmResponse);
+      .reply(200, npmResponse, { 'Cache-control': 'public, expires=300' });
    const res = await getPkgReleases({ datasource, depName: 'foobar' });
    expect(res).toMatchSnapshot();
+    expect(res?.isPrivate).toBeFalse();
  });
  it('should parse repo url', async () => {
@@ -155,6 +156,7 @@ describe('modules/datasource/npm/index', () => {
      .reply(200, npmResponse);
    const res = await getPkgReleases({ datasource, depName: 'foobar' });
    expect(res).toMatchSnapshot();
+    expect(res?.isPrivate).toBeTrue();
  });
  it('should handle no time', async () => {
@@ -307,6 +309,7 @@ describe('modules/datasource/npm/index', () => {
    const npmrc = `registry=https://npm.mycustomregistry.com/`;
    const res = await getPkgReleases({ datasource, depName: 'foobar', npmrc });
    expect(res).toMatchSnapshot();
+    expect(res?.isPrivate).toBeTrue();
  });
  it('should replace any environment variable in npmrc', async () => {