Fix a bug with the metadata during the npm package upload

Exclude the `readme` and `readmeFilename` fields sent by `$ npm publish` Changelog: fixed

Fix a bug with the metadata during the npm package upload
Exclude the `readme` and `readmeFilename` fields sent by `$ npm publish` Changelog: fixed
ec6908c3 · David Fernandez · Thong Kuah · c5e45556 · ec6908c3 · ec6908c3
Commit ec6908c3 authored Nov 16, 2021 by David Fernandez Committed by Thong Kuah Nov 16, 2021
2 changed files
--- a/app/services/packages/npm/create_package_service.rb
+++ b/app/services/packages/npm/create_package_service.rb
@@ -4,6 +4,8 @@ module Packages
    class CreatePackageService < ::Packages::CreatePackageService
      include Gitlab::Utils::StrongMemoize

+      PACKAGE_JSON_NOT_ALLOWED_FIELDS = %w[readme readmeFilename].freeze
+
      def execute
        return error('Version is empty.', 400) if version.blank?
        return error('Package already exists.', 403) if current_package_exists?
@@ -22,7 +24,7 @@ module Packages
        ::Packages::Npm::CreateTagService.new(package, dist_tag).execute

        if Feature.enabled?(:packages_npm_abbreviated_metadata, project, default_enabled: :yaml)
-          package.create_npm_metadatum!(package_json: version_data)
+          package.create_npm_metadatum!(package_json: package_json)
        end

        package
@@ -50,6 +52,10 @@ module Packages
        params[:versions][version]
      end

+      def package_json
+        version_data.except(*PACKAGE_JSON_NOT_ALLOWED_FIELDS)
+      end
+
      def dist_tag
        params['dist-tags'].each_key.first
      end

--- a/spec/services/packages/npm/create_package_service_spec.rb
+++ b/spec/services/packages/npm/create_package_service_spec.rb
@@ -73,6 +73,23 @@ RSpec.describe Packages::Npm::CreatePackageService do
      end
    end

+    described_class::PACKAGE_JSON_NOT_ALLOWED_FIELDS.each do |field|
+      context "with not allowed #{field} field" do
+        before do
+          params[:versions][version][field] = 'test'
+        end
+
+        it 'is persisted without the field' do
+          expect { subject }
+            .to change { Packages::Package.count }.by(1)
+            .and change { Packages::Package.npm.count }.by(1)
+            .and change { Packages::Tag.count }.by(1)
+            .and change { Packages::Npm::Metadatum.count }.by(1)
+          expect(subject.npm_metadatum.package_json[field]).to be_blank
+        end
+      end
+    end
+
    context 'with packages_npm_abbreviated_metadata disabled' do
      before do
        stub_feature_flags(packages_npm_abbreviated_metadata: false)