noproxy config is not respected when running ng update

[kawazoe]

🐞 Bug report

Command

• new
• build
• serve
• test
• e2e
• generate
• add
• update
• lint
• xi18n
• run
• config
• help
• version
• doc

Is this a regression?

Yes. This would not have been a problem prior to angular/devkit#692 assuming a private registry was accessible without proxy. It is also relevant to #13166 .

Description

NPM natively supports a noproxy setting in the .npmrc file that will prevent the proxy settings from being used for some specific URLs. This is incredibly useful when you have a private repository that is within your corporate network, but some packages, like node-sass will still need to reach to the internet to download binary files through the proxy.

Assuming that your private registry is at registry.company.com, you can add either the full sub-domain, or even just company.com to the noproxy setting and NPM will go to the registry directly, but all calls to other URLs done by NPM will still go through the proxy.

When using ng update, all calls using npm-registry-client will go through the proxy, even though they should be blacklisted by the noproxy list. This will cause calls to fail when using an enterprise proxy and a private registry that cannot be reached through the proxy.

🔬 Minimal Reproduction

• Setup a private npm repository that forwards calls to the official repository
• Setup a proxy so that it is required to go through the proxy to reach the broad internet, but that the private npm repository MUST be reached directly.
• Configure your .npmrc file like so:

proxy: myproxy.company.com
https-proxy: myproxy.company.com
noproxy: company.com

• Attempt to update an angular project from angular@^6 to angular@^7 using ng update.

🔥 Exception or Error

At this point, ng update will fail trying to parse the json file that is expected from the registry and print the html error page returned by the proxy instead. Something on the lines of:

Failed to parse JSON at column 1, unexpected token < in :
<doctype HTML........
  Cannot reach <insert package url here>. Timeout.
</html>

🌍 Your Environment

Angular CLI: 7.3.9
Node: 13.2.0
OS: win32 x64
Angular: 7.2.16
... animations, common, compiler, compiler-cli, core, forms
... http, language-service, platform-browser
... platform-browser-dynamic, router

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.8.5
@angular-devkit/build-angular     0.8.5
@angular-devkit/build-optimizer   0.8.5
@angular-devkit/build-webpack     0.8.5
@angular-devkit/core              0.8.5
@angular-devkit/schematics        7.3.9
@angular/cli                      7.3.9
@ngtools/webpack                  6.2.5
@schematics/angular               7.3.9
@schematics/update                0.13.9
rxjs                              6.5.4
typescript                        3.2.4
webpack                           4.21.0

Anything else relevant?
Requires a private repository and proxy that cannot reach the repository.

Workaround

Since ng-update will run NPM install scripts after doing the npm-registry-client calls, it is possible to remove the proxy setting before running ng update, and add it back as npm starts the install process using a second console. This will work as long as the first few packages getting installed does not do any network calls in their install script. It is also an incredibly risky workaround and I would recommend anyone attempting this to delete their node_modules folders after the update process, set their proxy settings correctly and re-run npm install before moving on.

[alan-agius4]

Hi, is this still an issue in Angular CLI 8?

[kawazoe]

I have not tested this with angular/cli 8 yet, but the most recent commit of the update code has no mention of the noproxy config so I would assume the issue is still present. I will try to test this soon and will update this thread once I have a definitive answer.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}