Debugging HTTP traffic originating from npm install using Fiddler

First, allow me to show that npm install works fine without Fiddler:

C:\Temp\1> npm config list; "user" config from C:\Users\p11f70f\.npmrc//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/:_password = (protected)//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/:email = "npm requires email to be set but doesn't use the value"//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/:username = "whatever"//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/registry/:_password = (protected)//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/registry/:email = "npm requires email to be set but doesn't use the value"//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/registry/:username = "whatever"registry = "https://registry.npmjs.org/"; node bin location = C:\Program Files\nodejs\node.exe; node version = v20.11.1; npm local prefix = C:\Temp\1; npm version = 10.2.4; cwd = C:\Temp\1; HOME = C:\Users\p11f70f; Run `npm config ls -l` to show all defaults.C:\Temp\1> npm cache clean --forcenpm WARN using --force Recommended protections disabled.C:\Temp\1> dirC:\Temp\1> npm i --no-package-lock --no-save simple-test-package@0.2.2 && diradded 1 package in 3s    Directory: C:\Temp\1Mode                 LastWriteTime         Length Name----                 -------------         ------ ----d----          12/11/2024  2:41 PM                node_modulesC:\Temp\1>

So it works without any proxy.Now I am going to start Fiddler, configure HTTPS decryption and retry:

C:\Temp\1> npm config set proxy http://127.0.0.1:8888/C:\Temp\1> npm config set https-proxy http://127.0.0.1:8888/C:\Temp\1> npm config set strict-ssl falseC:\Temp\1> npm config list; "user" config from C:\Users\p11f70f\.npmrc//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/:_password = (protected)//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/:email = "npm requires email to be set but doesn't use the value"//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/:username = "whatever"//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/registry/:_password = (protected)//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/registry/:email = "npm requires email to be set but doesn't use the value"//pkgs.dev.azure.com/xyz/_packaging/platform_catalog/npm/registry/:username = "whatever"https-proxy = "http://127.0.0.1:8888/"proxy = "http://127.0.0.1:8888/"registry = "https://registry.npmjs.org/"strict-ssl = false; node bin location = C:\Program Files\nodejs\node.exe; node version = v20.11.1; npm local prefix = C:\Temp\1; npm version = 10.2.4; cwd = C:\Temp\1; HOME = C:\Users\p11f70f; Run `npm config ls -l` to show all defaults.C:\Temp\1> npm cache clean --forcenpm WARN using --force Recommended protections disabled.C:\Temp\1> del -r -Force *C:\Temp\1> npm i --no-package-lock --no-save simple-test-package@0.2.2 && dirnpm ERR! code E400npm ERR! 400 Bad Request - GET https://registry.npmjs.org/simple-test-packagenpm ERR! A complete log of this run can be found in: C:\Users\p11f70f\AppData\Local\npm-cache\_logs\2024-12-11T19_43_58_782Z-debug-0.logC:\Temp\1>

Here is what Fiddler captured:

Request

GET http://registry.npmjs.org:443/simple-test-package HTTP/1.1user-agent: npm/10.2.4 node/v20.11.1 win32 x64 workspaces/falsepacote-version: 17.0.4pacote-req-type: packumentpacote-pkg-id: registry:simple-test-packageaccept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*npm-auth-type: webnpm-command: installAccept-Encoding: gzip,deflateHost: registry.npmjs.org:443Connection: Keep-Aliveconnection: keep-alive

Response

HTTP/1.1 400 Bad RequestServer: cloudflareDate: Wed, 11 Dec 2024 19:44:01 GMTContent-Type: text/htmlContent-Length: 253Connection: closeCF-RAY: -<html><head><title>400 The plain HTTP request was sent to HTTPS port</title></head><body><center><h1>400 Bad Request</h1></center><center>The plain HTTP request was sent to HTTPS port</center><hr><center>cloudflare</center></body></html>

Notice the url is BS - http://registry.npmjs.org:443/simple-test-package. This is contrary to what npm claims in the error message - https://registry.npmjs.org/simple-test-package.

Now this difference in URL is all that matters:

C:\Temp\1> curl.exe -LsSfO https://registry.npmjs.org/simple-test-packageC:\Temp\1> dir .\simple-test-package    Directory: C:\Temp\1Mode                 LastWriteTime         Length Name----                 -------------         ------ -----a---          12/11/2024  2:51 PM           7374 simple-test-packageC:\Temp\1> del -r -Force .\simple-test-packageC:\Temp\1> curl.exe -LsSfO http://registry.npmjs.org:443/simple-test-packagecurl: (22) The requested URL returned error: 400C:\Temp\1>

So my question is - what is going on? Why am I unable to intercept HTTPS traffic generated by npm install with Fiddler? I suspect the problem is that npm install botches the URL, but why? How do I fix it?