Plugin middleware causes "stream is not readable" error when handling npm publish requests

[100001]

Hi team,

I'm developing a custom middleware plugin to validate package versions during npm publish (e.g., only allow standardised prerelease versions). However, when intercepting the PUT request for the publish endpoint (e.g., PUT /@scope%2fpackage), any attempt to read the request body (req.body) or listen to stream events (req.on('data') and req.on('end')) results in a "stream is not readable" error in Verdaccio's logs.

Steps to Reproduce

1. Create a middleware plugin that intercepts PUT requests and buffers the request stream to parse JSON metadata.
2. Install and enable the plugin in config.yaml under middlewares.
3. Run npm publish to a scoped package.

Error Logs

info <-- 127.0.0.1 requested 'PUT /@my%2ftest'
http <-- 200, user: null(127.0.0.1), req: 'PUT /@my%2ftest', bytes: 14603/0
http <-- 500, user: testuser(127.0.0.1), req: 'PUT /@my%2ftest', error: stream is not readable

Plugin Code Example

Here's a simplified version of the plugin code that triggers the error (even without version validation):

import { Application, Request, Response, NextFunction } from 'express';
import { IPluginMiddleware, IBasicAuth, IStorageManager, PluginOptions } from '@verdaccio/types';

export type Config = {};

export default class PublishValidatorPlugin implements IPluginMiddleware<Config> {
  constructor(config: Config, options: PluginOptions<Config>) {}

  register_middlewares(app: Application, auth: IBasicAuth<Config>, storage: IStorageManager<Config>): void {
    app.use((req: Request, res: Response, next: NextFunction) => {
      if (req.method !== 'PUT' || !/^\/(@[a-z0-9-~.%]+%2f)?[a-z0-9-~.%]+$/i.test(req.url)) {
        return next();
      }

      req.on('data', (chunk: Buffer) => {

      });

      req.on('end', () => {
        next();
      });
    });
  }
}

Environment

• Verdaccio version: 6.1.6
• Node.js version: 21.19.2
• OS: macOS Sequoia 15.6
• Configuration:

storage: ~/verdaccio/storage

plugins: ./plugins

web:
  title: Verdaccio

auth:
  htpasswd:
    file: ./htpasswd

uplinks:
  npmjs:
    url: https://registry.npmjs.org/

packages:
  '@*/*':
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

  '**':
    access: $all
    publish: $authenticated
    unpublish: $authenticated
    proxy: npmjs

server:
  keepAliveTimeout: 60

listen:
  - 0.0.0.0:4873

middlewares:
  audit:
    enabled: true
  publish-validator:

log: { type: stdout, format: pretty, level: http }

The publish works fine without the plugin. This seems related to how Verdaccio manually handles streams in the publish endpoint.
Is there a recommended way to safely read the request body in a middleware plugin for publish requests without consuming the stream? Or is this a bug in how plugins interact with the publish endpoint?
Thanks for any help!

[mbtools]

I ran into the same problem. #5537 fixes it.