Npm i @salesforce-ux/design-system - Exception com.fasterxml.jackson.core.exc.StreamConstraintsException

Sonatype Nexus Repository
,
1

Hi,
when trying to do npm i @salesforce-ux/design-system we get the following logs at Nexus Repo (proxy to https://registry.npmjs.org) and it isn’t working:

*UNKNOWN com.sonatype.nexus.repository.npm.internal.orient.OrientNpmProxyFacet - Exception com.fasterxml.jackson.core.exc.StreamConstraintsException: String length (5046272) exceeds the maximum length (5000000) checking remote for update, proxy repo <proxy> failed to fetch @salesforce-ux%2fdesign-system, content not in cache.

*UNKNOWN com.sonatype.nexus.repository.npm.internal.orient.OrientNpmProxyFacet - Exception com.fasterxml.jackson.core.exc.StreamConstraintsException: String length (5046272) exceeds the maximum length (5000000) checking remote for update, proxy repo <proxy> failed to fetch @salesforce-ux%2fdesign-system, content not in cache.

We tried also with “cataloged only”, but no difference.

Is there a setting to extend the limits?

Is there a setting to restrict download into the proxy for only requested versions?

Probably it is a consequence of the invalid version 2.21.2 of the vendor, but nexus can’t stay broken because of that: Version 2.21.2 (spring-23) contains a blob as readme and breaks all builds · Issue #756 · salesforce-ux/design-system · GitHub

This is really breaking our builds. Please help.

1 Like
2

I’m not aware of one - the issue here is that the string is too long, if this were unbound then it could be used as a Denial of Service attack to run the systems out of memory.

4 
com.sonatype.nexus.repository.npm.internal.orient.OrientNpmGroupDataFacet - Unable to use Cooperation to merge @salesforce-ux/design-system for repository npm                       
com.fasterxml.jackson.core.exc.StreamConstraintsException: String length (5046272) exceeds the maximum length (5000000)

I’m also getting this error. I’m unable to execute my pipelines that uses this library.

5

Hello Jens,

I’m also getting the same error. What version of nexus are you using?

Thanks

6

Hi,
we are using almost latest (3.61.0-02).

As there is no fix, we did now a (ugly) workaround and hosting the required package in our private repo and so overrule the proxy.

7

They appear to have published a patch version under an alternative version - https://www.npmjs.com/package/@salesforce-ux/design-system/v/2.21.2-fix

8

This log on nexus still. no matter which version of @salesforce-ux/design-system I use

2023-11-15T12:11:05.02015874Z stdout F 2023-11-15 12:11:05,019+0000 WARN [qtp1816948741-1585] *UNKNOWN com.sonatype.nexus.repository.npm.internal.orient.OrientNpmProxyFacet - Exception com.fasterxml.jackson.core.exc.StreamConstraintsException: String length (5039106) exceeds the maximum length (5000000) checking remote for update, proxy repo npmjs failed to fetch @salesforce-ux%2fdesign-system, content not in cache.

9

I found a solution, maybe it isn’t the best, but is safer than workaround to go to an external registry and easier than using another private repo.

1. to follow the best practice and restrict the dependencies used we use the command ‘npm ci’. This will strictly use package-lock.json instructions.

2. Nexus seems to get an error when looking for @salesforcedx/design-system package because of this Version 2.21.2 (spring-23) contains a blob as readme and breaks all builds · Issue #756 · salesforce-ux/design-system · GitHub .

They might fix it in the next versions, that’s why we can used it when using npmjs registry, but as far as I could understand, I think when nexus is looking up for this package, it searchs for the version you want in to the general package url and not the specific version url.

making a test with curl test and as you can see below, the general url will have this broken readme (see on 2.1) and the specific curl (see on 2.2) doesn’t have this broken readme on the json file it gets.

2.1 curl https://registry.npmjs.org/@salesforce-ux/design-system/

output (partial):


(...)"readme":"\u001f�\b\u0000�W�d\u0000\u0003��r\u001bYz'8�)�)�K�`�\u0004��T�MQ�D�(�$Uս�\n �< �\u0005 љ\tR�ގ�3LLĬ������\u0013�#�w=��\u0004E�*�\u001b�\t��<��w���[M��Z;;ztp~�����|���ۃ�?�������������\u0015�wwv��\u001b���������N����v6w�;��h������ߢ�o5���7+������|��y1�\u001c\u0014\u001b\u000e�i�&�\u001e�����?�.��332Ii�I^�2Jf�u^d���j��f�ML�2����˵���L��u2�2��ju��ע8���3j���@3E�ܭ)L4-�MV��]\u0004U��ȤQ6��(��(�\u0007+\u0011�i�����(�z�tj&)\u0014���5\u0014��$�l�����$\u0015|\n���<\u001e}����rcugu��(��i\u0006�m�D\u001b락￧ro�/�|����/\u000f�\"-}�\u0013-a�������꺚�R��̮&�]Y�1M\u001ag\u0001c�T��\u0000�-Csq�i�Ґ�E��L\"X�ϰ\u0000Yu�Mh��\u0005η�^\\����v6w]�WPp֧��dd�a^\fL<��ƽ��=v=Ϊ5�����;\u001bM��A�M+\u0019\u0004�\u0007&\u0017M��\u001a��\n�����\u0016��G7&�ϲQ\u001a���\u000b؍�l

2.2 curl https://registry.npmjs.org/@salesforce-ux/design-system/2.22.2 

{"license":"BSD-3-Clause","config":{"slds":{"internal":false}},"private":false,"slds":{"name":"Winter ’24","id":"246","dependencies":{"@salesforce-ux/sds-styling-hooks":"1.1.0-alpha.2","@salesforce-ux/design-system-parser":"^1.1.1","@salesforce-ux/build-server-api":"2.1.7","@salesforce-ux/design-system-primitive-tokens":"0.3.6","@salesforce-ux/instant-vrt":"2.0.0","@salesforce-ux/postcss-annotations-parser":"0.1.1","@salesforce-ux/scss-parser-aura":"^3.1.1","@salesforce-ux/postcss-css-variable-value":"0.2.0","@salesforce-ux/design-system-markup":"^2.0.4","@salesforce-ux/sds-styling-aliases":"0.2.4","@salesforce-ux/icons":"10.7.0","@salesforce-ux/create-snap":"0.0.7"}},"repository":{"type":"git","url":"git+ssh://git@github.com/salesforce-ux/design-system.git"},"keywords":["Salesforce","Lightning Design System","Design System","CSS"],"author":{"name":"Salesforce"},"name":"@salesforce-ux/design-system","peerDependencies":{"postcss":"^8.3.5"},"snyk":true,"homepage":"https://lightningdesignsystem.com","lint-staged":{"!(*.local).{js,jsx,json}":["prettier --single-quote --write"],"!(*.local).js":"eslint --cache --fix","*.css":"stylelint --fix"},"lwc":{"modules":[{"name":"@salesforce/slds/legacy","path":"assets/styles/salesforce-lightning-design-system-imports.sanitized.css"}],"expose":["@salesforce/slds/legacy"]},"version":"2.22.2","jest":{"testURL":"http://localhost/","testRegex":"(/__tests__/.*(test|spec))\\.jsx?$","globalSetup":"<rootDir>/jest.setup.global.js","globalTeardown":"<rootDir>/jest.teardown.global.js","setupFilesAfterEnv":["<rootDir>/jest.setup.js"],"moduleNameMapper":{"\\.(scss)$":"<rootDir>/shared/vendor/prism/"},"testPathIgnorePatterns":["<rootDir>/node_modules/","<rootDir>/shared/vendor/prism/","<rootDir>/__crypt/","<rootDir>/.dist/","<rootDir>/.generated/"]},"description":"Salesforce Lightning Design System","bugs":{"url":"https://github.com/salesforce-ux/design-system/issues"},"gitHead":"b7514041ad9878da50287e6f38e3b9adcd654655","_id":"@salesforce-ux/design-system@2.22.2","_nodeVersion":"16.15.0","_npmVersion":"8.13.1","dist":{"integrity":"sha512-Q9JjQcpf/KerzylgSNuXpB7ugz7PXPkcR3HJNjqiISuWTXT562/frLnoUaa2VVMgK/8kuRQw288ACLWVCLIFHA==","shasum":"5f88f45939ab17b7b1272f5414bbfa6133112c9d","tarball":"https://registry.npmjs.org/@salesforce-ux/design-system/-/design-system-2.22.2.tgz","fileCount":6010,"unpackedSize":38884849,"signatures":[{"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","sig":"MEUCIQCKPPAgmHbbWZzC7uf4nr64DZ+liXRzFGOzADf9SxVLQAIgZ3lVwjsxv4u15swqu1bPondfF148cI/F+j1oT50Vzb4="}]},"_npmUser":{"name":"salesforce-ux","email":"dse-infra@salesforce.com"},"directories":{},"maintainers":[{"name":"salesforce-ux","email":"dse-infra@salesforce.com"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/design-system_2.22.2_1699566882830_0.6856012393992235"},"_hasShrinkwrap":false}%

My solution

  1. Download the package tar ball myself and upload it to nexus.
    To get the url to download I did:
    In my case i wanted this version 2.20.1
    so I used:
curl https://registry.npmjs.org/@salesforce-ux/design-system/ \
     | jq '.versions[."dist-tags"."spring-23"].dist.tarball'

if you want the lastest you can use:

curl https://registry.npmjs.org/@salesforce-ux/design-system/ \
     | jq '.versions[."dist-tags".latest].dist.tarball'

So I used browser or curl to get https://registry.npmjs.org/@salesforce-ux/design-system/-/design-system-2.20.1.tgz (you can change the version on this url, it works too.

  1. Get the path url from nexus, for example: “nexus-url.example.com/repository/npm/%40salesforce-ux/design-system/-/design-system-2.20.1.tgz
  2. Replace @salesforcedx/design-system url in package-lock.json on your project to this new url Example:
"node_modules/@salesforce-ux/design-system": {
      "version": "2.20.1",
      "resolved": "nexus-url.example.com/repository/npm/%40salesforce-ux/design-system/-/design-system-2.20.1.tgz",
      "integrity": "sha512-MZbOfmTOPZD6JOARmW+Co83Ypge5zNAXiu/C2RuVVSa14xS/kqcYuuyPgGPITu7TNMdQ706oQFJRqSj1HH6uZA==",
      "peerDependencies": {
        "postcss": "^8.3.5"
      }
}

IF YOU DON’T have package-lock.json or it isn’t working or need to update it:

  1. Delete package-lock.json from project
  2. Remove the dependency @salesforce-ux/design-system from the project package.json file
  3. Run “npm i --package-lock-only” to create a new clean package-lock.json
  4. In another folder create this package.json
{
  "name": "sample",
  "main": "src/index.js",
  "dependencies": {
    "@salesforce-ux/design-system": "2.20.1"
  }
}
  1. run ‘npm i --registry=http://registry.npmjs.org --package-lock-only’ to generate a package-lock.json with @salesforcedx/design-system info, integrity and dependencies etc.
  2. rename this package-lock.json to package-lock-2.json
  3. copy this package-lock-2.json to the project folder
  4. install ‘npm install -g package-json-merge’ in order to safely merge both package-lock.json
  5. merge both package-lock with command: ‘package-json-merge package-lock.json package-lock-2.json > package-lock-merged.json’
  6. delete both package-lock.json and package-lock-2.json
  7. rename package-lock-merged.json to package-lock.json

FINAL test:
16. test it running ‘npm ci --verbose’

Conclusion:
I opened an issue in @salesforcedx/design-system github project to see if they can fix it:

Maybe I made a wrong interpretation of nexus way of work or maybe there was a easier way to do this, but this was my solution. The thing is, if nexus really uses the general url to get all version, it should maybe change the way it reads this json file? what are your thoughts? At least salesforce could fix the readme’s on this url since it is their side that has the bug still.

10

Ah checking the size of the project’s npm metadata currently Salesforce is 23-megabytes whereas for reference the jquery metadata is 150kb

Its definitely the case that SF is doing something wrong here.