Metadata requested over HTTPS tells me to get the tarball over HTTP

[peterlynch]

Original bounced issues:
npm/npm-www#915
npm/newww#390

If I am a savvy user and am using https://registry.npmjs.org (over HTTPS), and issue a metadata request like this one:
https://registry.npmjs.org/commonjs

The returned metadata will tell me to get the tarball over HTTP. What is the point of HTTPS then?

As I checked, both HTTP and HTTPS URLs works for tarball.

Another example:
https://registry.npmjs.org/htmlparser2

Expected: Metadata from a secure registry should not tell me to get any content from an insecure registry url, especially if the registry is the same host

[bcoe]

@peterlynch the npm client itself requests URLs in https form. Since the both the http and the https scheme work, we've opted to store http in the meta-information.

[peterlynch]

@bcoe you stated:

we've opted to store http in the meta-information

This appears inconsistent at the very least. Request this metadata

http://registry.npmjs.org/requirejs

It contains tarball URLS to https://registry.npmjs.org

[othiym23]

@peterlynch This has changed recently for the primary npm registry: http://blog.npmjs.org/post/142077474335/npm-registry-is-now-fully-https

This is not a change happening within the npm-registry-couchapp codebase, though. It was done by running a follower to update all of the package documents served by the primary registry to update dist.tarball.

[othiym23]

If you'd like to apply a similar process to your own registr{y,ies}, you can use normalize-registry-metadata to do so.