How do I fix version lock in self-hosted CI when mirroring a subset of packages?

[Jacob25]

I’ve been trying to get my project’s continuous integration pipeline to run on a self-hosted runner, but the build keeps failing due to a missing dependency that’s only available in a specific version of a package from the main repository. Has anyone else run into this kind of version lock when trying to mirror a subset of packages for internal use?

[AaronZH]

Yep, we ran into this last quarter. We tried mirroring a subset of packages for a self hosted runner and hit a hard version lock where the dep only shows up in one upstream release. The CI would fail at the resolution step because our internal mirror didn't have that exact version. We ended up pinning a couple of transitive versions and monitoring the mirror for days until it became available, which felt like chasing a moving target.

[Eleanor_T]

I tried setting up Verdaccio as a local npm cache, then adding a few more upstream mirrors, but the pipeline still reached out to the main repo for metadata and the fail happened mid build.

[EleanorLT]

Is the real problem that the dependency is not the bottleneck, but the build script assuming a single registry and not tolerant of mirrors?

[Emma_M]

We did a quick hack by installing that one dep from the public registry while the rest came from the internal mirror, but it added latency and flaky timeouts.