-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] NPM v7 private registry authentication 401 (v6 works) #2508
Comments
I have the same issue on windows 10 trying to access azure feeds. I currently have: I also tried some older 7.x.x versions, but none of them worked for me. Only if I downgrade to v6 it starts working again. I keep getting
|
I was not able to duplicate this with My config is as follows: $ npm config list
@npm:registry = "https://npm.pkg.github.com"
//npm.pkg.github.com/:_authToken = (protected)
//registry.npmjs.org/:_authToken = (protected) The command I ran was Is it possible that your package-lock has erroneous |
I tried again, removed |
presence of |
hrm interesting. if I do |
Are there any news on this? |
I was having a similar problem as @Stvad. The first |
We would need more info to debug this, such as the output of the failing install with |
npm install:
and my
If I switch back to any npm v6 version the exact same |
@wraithgar I was getting the information for you, but then I had to install npm 7 again, since I had downgraded. |
@ianldgs Glad to hear it. I will try to replicate further with the new log/rc info given by @mrucelum |
@mrucelum is that the actual output of |
Also, is your token newer than 90 days? Azure tokens only live for 90 days by default. |
Similar issues as logged here: #2619 Our CI pipelines are 401'ing - tokens are provided internally for the CI agents. |
Thank you @leepowelldev, we can move the azure-specific conversation there, as this issue was for github packages. |
Sure - although the two issues may share similarities in how v7 is following redirects with auth? |
I don't believe npm packages does redirects the same way azure does. I get a bare When I fetch the tarball urls from the github registry, they do redirect, but the new auth is baked into the query parameters as a signed aws request so it no longer is using my auth token after the redirect. |
Yeah, redirects are a guess on my part (I've not had time to investigate), however I don't think this is an issue with Azure as v6 works as expected. |
Having the same problem with the E401 immediately after upgrading to 7.5.2. I have a GitHub private store defined in
registry=https://npm.pkg.github.com/myprivaterepo |
I do not have other
Regarding the token: I am not sure when I created this token exactly, but I usually create tokens that last as long as possible. In case of azure this means 1 year. That doesn't prevent some of them stop working way before that for some reason 🤷♀️ - but I guess that's not the case here as the token works fine when using v6. |
Still occurring on |
Still occurring on |
What about v7.5.4? |
Any update here? It's unbelievable how long this issue is unhandled. It's blocking our node & npm update for dev machines as well as our CI/CD docker images |
I think that there are actually several issues in this ticket which is probably making it slightly more challenging to debug. The issue we were seeing (which had the same symptoms as above) was that the syntax for declaring authTokens for repos had changed subtly such that you needed to namespace the tokens by repo using the I recommend sticking some debugs into your npm config and npm install/publish js files and seeing if you can get more information out for your specific use case. For me both publish and install from private repos works perfectly well with the change in syntax now for both NPM 7 and NPM 8 using an artifactory repo |
A failing replicatable example would also be helpful. Lots of the above use private repos that obvs can't be used for debuging, so it would be helpful if someone could provide a replicatable example. If so I am happy to try and figure things out if needed. |
To chime in on this, with yet another solution that seems to fix it for me (against a private Artifactory instance) - I had to duplicate each auth entry with and without the port numbers in. This could be related to the Artifactory documentation, which if you follow the section on using Basic authentication, the response you get when calling the /auth/@scope endpoint seems to give you back the configuration with port numbers included (even if you don't make the curl call to a url with port numbers). So in my case, my scoped entries included port numbers, which were being ignored by npm. If I duplicated the entries (without the specific port :443 in the url), or just stripped the :443 port number from the urls, it seemed to work.
So a suggested way to mitigate against this inside npm would be handle default port mappings, so even if the user config entries include say :443 in the URLs, they are still loaded by npm if the url scheme it is trying to auth against uses this port by default. |
Confirming this is still broken for |
@JuanDavidLopez95 v8.5.0? |
I can confirm that it works with the following configuration when using NPM 8.1.2 and azure feed as repository:
Both on dev machines (mac, windows) as well as in azure pipelines (ubuntu latest images). One of our mac users had to also add
Maybe that helps someone. |
Thank you @ljharb ! Had tried upgrading to v Thank you @MadeleineCode! The above pattern inside the npm config file worked for me to avoid the npm error! So it seems as if the pattern to get configs working with npm versions > 6, we have to specify the Thank you all so much again. |
I using:
I using a Sonatype Nexus Repository with
I resolved E401 with this configuration on .npmrc:
This Maybe that helps someone. |
npm < 7 had a long-standing issue with hoisting dependencies, and the recommended fix for that issue (afaict) is to upgrade to npm >= 7. but this issue prevents that. i'd like to ask that this issue be bumped in priority because there is no good workaround between those two bugs. i had to resort to manually patching package-lock.json and stick with npm6 to get things to install. and FWIW -- #2918 provided a some other likely dupe issues: #2884, #3004 |
Hi, I also got confused by this behaviour, as we tried to update from node 14.19.0 (npm 6.14.16) to 16.14.0 (npm 8.3.1). So our setup is as follows: We have 3 packages from private GitHub repositories and have 2 tokens (2 packages can be retrieved with the same token, but are in different scopes) My local
In the project we have this
Note that we add the tokens inside the pipeline via:
Now after switching to node 16.14.0 our pipeline suddenly failed:
But locally it worked in the beginning, somewhere above it was mentioned that this could be due to caching (#2918). So after clearing my local cache, I was able to reproduce it as well. So the solution that works for us is: Updating the
Updating the project
Updating the pipeline:
I don't know why the old way worked with npm v6, but I'm also happy that I found a solution for our use case and wanted to share it with you. |
I have seemingly the same issue. Although my setup is identical to a colleague, his setup works fine. CI pipeline works as well. Reverting back to npm 6 works again. |
@LarsCelie, during my research I came across this article https://rapaccinim.medium.com/surviving-the-npm-err-404-with-private-packages-b413d80fb860 - maybe this helps in your case? |
@leschdom Thanks, but unfortunately, no. |
Apparently vsts-npm-auth was configured to use a different path (Manual override to %USERPROFILE%) than npm was looking for (HOME env). Making sure these were the same was the fix for me. Still interesting that it worked for npm 6. Maybe as a fallback? |
Hello, Has the same E401 issue with npm 7+ (was working correctly with npm 6) The reason is that despite overriding registry in npm config, it was still using the "resolved" field from package-lock.json. For some reason, it was only affecting "@fortawesome/..." Deleting package-lock.json was not an option for me. |
I've been having a similar issue using a self-hosted gitlab instance - upgrading from npm 6.14.8 to 8.1 (also tried 8.6). Apologies as this is somewhat gitlab specific so maybe off-topic: In CI, an npmrc file gets built (based on a gitlab supplied template), including a port number in the URL. This was working fine for npm 6.x but, not 8.x. The change that fixed it for me was: Before:
After:
I'm guessing that npm 8.x is normalizing my original https://my-server:443/bla/bla to https://my-server/bla/bla and then auth lookup fails? |
I can still confirm the same issue here: 401 Unauthorized error when updating to Node16+ and Npm8+ AND using a custom package feed*. Works completely fine using Node12 and Npm6. Just in case it makes a difference, myy setup includes: Azure CI/CD Pipeline with Docker-linux, Angular 13 and .NET 6 |
I cannot stop commenting on this since it took 8x3 = 24 hours so far. |
We use a custom registry and my team leader faced this issue on |
Spent a lot of time and nerve to understand what is up with it.
which works perfectly with While in v7 it results to this
which breaks things. So my solution is:
|
We had a similar issue that after upgrading npm 6 to npm 8 we got authentication 401 errors on our private registry. In our situation we had .npmrc file with an authToken in the root of the project (placed there during build time by our ci server). What happen is the following nmp was able to clone the git repository in a temporary location. Than there is a check if the package.json in the dependency has workspaces or one of the following scripts postinstall, build, preinstall, install, prepack or prepare. If that is the case it will do a npm install on the temporary location where the project was cloned. At that moment the private repository was used to fetch the dependencies but without using the authentication token. In our case we could solve the issue by moving the .npmrc file to the home directory of the user running the command. |
This issue appears to be related to scoped/"nerf darted" auth config. npm 9 has tooling to help folks migrate off of these old configs and there are docs explaining it. If folks are still having auth problems in npm 9 feel free to open new issues with steps to reproduce |
@wraithgar can you link to the relevant documentation/info about the tooling? searching on Google how to migrate off the "old" config leads to... this issue. |
Current Behavior:
While trying to install packages from GitHub package repository, I get 401 error when using npm v7 (tried with 7.3 and 7.4.2) while it's working with v6 (6.14.11)
Full error:
My
.npmrc
is as follows:Seems very similar to #2183
Expected Behavior:
Packages are successfully installed
Steps To Reproduce:
Do
npm install
with npm v7, packages hosted in GitHub packages registry and.npmrc
as mentioned aboveEnvironment:
Happens to me both on macOS and in several Linux versions inside
The text was updated successfully, but these errors were encountered: