From 6b44fb17d09f14e37ca6053db79639879c205e51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Nison?= <nison.mael@gmail.com>
Date: Fri, 21 Jun 2019 11:24:49 +0200
Subject: [PATCH 1/5] v1.17.1

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index c88e3f7102..4d1f4689e4 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "yarn",
   "installationMethod": "unknown",
-  "version": "1.18.0-0",
+  "version": "1.17.1",
   "license": "BSD-2-Clause",
   "preferGlobal": true,
   "description": "📦🐈 Fast, reliable, and secure dependency management.",

From 77c2630a60ddca1ff4df559585697b301b283aa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Nison?= <nison.mael@gmail.com>
Date: Fri, 21 Jun 2019 13:03:41 +0200
Subject: [PATCH 2/5] v1.17.2

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 4d1f4689e4..8eacdb19b0 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "yarn",
   "installationMethod": "unknown",
-  "version": "1.17.1",
+  "version": "1.17.2",
   "license": "BSD-2-Clause",
   "preferGlobal": true,
   "description": "📦🐈 Fast, reliable, and secure dependency management.",

From c10ef6ab60f0bc80f65838d675325f6c17f04f24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Nison?= <nison.mael@gmail.com>
Date: Fri, 12 Jul 2019 16:19:53 +0200
Subject: [PATCH 3/5] Forces using https for the regular registries (#7393)

* Forces using https for the regular registries

* Fixes linting

* Updates the changelog

* Adds npmjs.com to the list
---
 CHANGELOG.md                         |  4 ++++
 __tests__/registries/npm-registry.js | 24 ++++++++++++++++++++++++
 src/registries/npm-registry.js       | 15 ++++++++++-----
 3 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c45b7398fa..32f46dfc15 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ Please add one entry in this file for each change in Yarn's behavior. Use the sa
 
 ## Master
 
+- Enforces https for the Yarn and npm registries.
+
+  [#7393](https://github.com/yarnpkg/yarn/pull/7393) - [**Maël Nison**](https://twitter.com/arcanis)
+
 - Adds support for reading `yarnPath` from v2-produced `.yarnrc.yml` files.
 
   [#7350](https://github.com/yarnpkg/yarn/pull/7350) - [**Maël Nison**](https://twitter.com/arcanis)
diff --git a/__tests__/registries/npm-registry.js b/__tests__/registries/npm-registry.js
index b5177b7719..54ade142a0 100644
--- a/__tests__/registries/npm-registry.js
+++ b/__tests__/registries/npm-registry.js
@@ -781,6 +781,30 @@ describe('getRequestUrl functional test', () => {
 
     expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual('https://my.registry.co/registry/foo/bar/baz');
   });
+
+  for (const host of [`registry.yarnpkg.com`, `registry.npmjs.org`, `registry.npmjs.com`]) {
+    test(`enforces loading packages through https when they come from ${host}`, () => {
+      const testCwd = '.';
+      const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
+      const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []);
+      const registry = `http://${host}/registry`;
+      const pathname = 'foo/bar/baz';
+
+      expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(`https://${host}/registry/foo/bar/baz`);
+    });
+  }
+
+  test("doesn't change the protocol for packages from other registries", () => {
+    const testCwd = '.';
+    const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
+    const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []);
+    const registry = 'http://registry.mylittlepony.org/registry';
+    const pathname = 'foo/bar/baz';
+
+    expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(
+      'http://registry.mylittlepony.org/registry/foo/bar/baz',
+    );
+  });
 });
 
 describe('getScope functional test', () => {
diff --git a/src/registries/npm-registry.js b/src/registries/npm-registry.js
index f1fb3786b7..083b8c1bab 100644
--- a/src/registries/npm-registry.js
+++ b/src/registries/npm-registry.js
@@ -22,6 +22,7 @@ import url from 'url';
 import ini from 'ini';
 
 const DEFAULT_REGISTRY = 'https://registry.npmjs.org/';
+const REGEX_REGISTRY_ENFORCED_HTTPS = /^https?:\/\/([^\/]+\.)?(yarnpkg\.com|npmjs\.(org|com))(\/|$)/;
 const REGEX_REGISTRY_HTTP_PROTOCOL = /^https?:/i;
 const REGEX_REGISTRY_PREFIX = /^(https?:)?\/\//i;
 const REGEX_REGISTRY_SUFFIX = /registry\/?$/;
@@ -112,13 +113,17 @@ export default class NpmRegistry extends Registry {
   }
 
   getRequestUrl(registry: string, pathname: string): string {
-    const isUrl = REGEX_REGISTRY_PREFIX.test(pathname);
+    let resolved = pathname;
 
-    if (isUrl) {
-      return pathname;
-    } else {
-      return url.resolve(addSuffix(registry, '/'), pathname);
+    if (!REGEX_REGISTRY_PREFIX.test(pathname)) {
+      resolved = url.resolve(addSuffix(registry, '/'), pathname);
     }
+
+    if (REGEX_REGISTRY_ENFORCED_HTTPS.test(resolved)) {
+      resolved = resolved.replace(/^http:\/\//, 'https://');
+    }
+
+    return resolved;
   }
 
   isRequestToRegistry(requestUrl: string, registryUrl: string): boolean {

From f817dc99450ace80532bafa1da9763bb69088037 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Nison?= <nison.mael@gmail.com>
Date: Fri, 12 Jul 2019 16:21:29 +0200
Subject: [PATCH 4/5] Updates the changelog

---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 32f46dfc15..bc086304ca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,12 +2,14 @@
 
 Please add one entry in this file for each change in Yarn's behavior. Use the same format for all entries, including the third-person verb. Make sure you don't add more than one line of text to keep it clean. Thanks!
 
-## Master
+## 1.17.3
 
 - Enforces https for the Yarn and npm registries.
 
   [#7393](https://github.com/yarnpkg/yarn/pull/7393) - [**Maël Nison**](https://twitter.com/arcanis)
 
+## 1.17.2
+
 - Adds support for reading `yarnPath` from v2-produced `.yarnrc.yml` files.
 
   [#7350](https://github.com/yarnpkg/yarn/pull/7350) - [**Maël Nison**](https://twitter.com/arcanis)

From 2c915bda5f35bb805820c159257d96df23e3e9d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Nison?= <nison.mael@gmail.com>
Date: Fri, 12 Jul 2019 16:21:49 +0200
Subject: [PATCH 5/5] v1.17.3

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 8eacdb19b0..c8aa819b54 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "yarn",
   "installationMethod": "unknown",
-  "version": "1.17.2",
+  "version": "1.17.3",
   "license": "BSD-2-Clause",
   "preferGlobal": true,
   "description": "📦🐈 Fast, reliable, and secure dependency management.",