Skip to content

yarn install not using auth token specified in .npmrc for a different url pointing to the same registry #5010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MilosRasic opened this issue Nov 28, 2017 · 7 comments
Open

yarn install not using auth token specified in .npmrc for a different url pointing to the same registry #5010

MilosRasic opened this issue Nov 28, 2017 · 7 comments
Assignees
@bestander
Labels
triaged

Comments

@MilosRasic
Copy link

Do you want to request a feature or report a bug?
Reporting a bug

What is the current behavior?
We would like to have a private npm registry accessible on two different urls, one internal, not visible on the Internet, used in CI, and another one public, used by developers.

The CI instance user directory .npmrc looks something like:

registry=https://registry-private.build.myorgdomain.com/npm-virtual/
_auth = sometoken
always-auth = true

Developers can use a .npmrc anywhere they want, usually in project directory, and it looks the same, using the same token, but has
registry=https://registry.build.myorgdomain.com/npm-virtual/

This works fine with npm 5, but when yarn install is ran, we get the following issue...

[1/4] Resolving packages...
verbose 0.614 Performing "GET" request to "https://registry-private.build.myorgdomain.com/npm-virtual/case-sensitive-paths-webpack-plugin".
verbose 0.791 Request "https://registry-private.build.myorgdomain.com/npm-virtual/case-sensitive-paths-webpack-plugin" finished with status code 200.

etc for all packages in package.json

[2/4] Fetching packages...
verbose 19.034 Performing "GET" request to "https://registry.build.myorgdomain.com/npm-virtual/case-sensitive-paths-webpack-plugin/-/case-sensitive-paths-webpack-plugin-2.1.1.tgz".
verbose 19.123 Error: https://registry.build.myorgdomain.com/npm-virtual/case-sensitive-paths-webpack-plugin/-/case-sensitive-paths-webpack-plugin-2.1.1.tgz: Request failed "401 Unauthorized"
    at ResponseError (/usr/share/yarn/lib/cli.js:163:5)
    at Request.<anonymous> (/usr/share/yarn/lib/cli.js:59356:26)
    at emitOne (events.js:96:13)
    at Request.emit (events.js:188:7)
    at Request.module.exports.Request.onRequestResponse (/usr/share/yarn/lib/cli.js:123971:10)
    at emitOne (events.js:96:13)
    at ClientRequest.emit (events.js:188:7)
    at HTTPParser.parserOnIncomingClient (_http_client.js:474:21)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:99:23)
    at TLSSocket.socketOnData (_http_client.js:363:20)
error An unexpected error occurred: "https://registry.build.myorgdomain.com/npm-virtual/case-sensitive-paths-webpack-plugin/-/case-sensitive-paths-webpack-plugin-2.1.1.tgz: Request failed \"401 Unauthorized\"".

The registry-private url has been added at a later date. Previously both CI and developers worked with the same url.

If the current behavior is a bug, please provide the steps to reproduce.
Not easy to reproduce. The required steps would be:

  • Set up a private registry requiring authentication
  • Use it for a while to fill the public packages cache just in case this is needed
  • Expose the registry on another url
  • Try switching your .npmrc to the new url and doing yarn install

What is the expected behavior?
I would expect yarn to figure out both urls point to the same registry and use the same auth token.

Please mention your node.js, yarn and operating system version.
Tested with node 6.9.1 locally and 6.12.0 in CI.

yarn 1.3.2 both

linux both
@ghost ghost assigned bestander Nov 28, 2017
@ghost ghost added the triaged label Nov 28, 2017
@aikar
Copy link

aikar commented Nov 30, 2017

You need to set the developers server in .npmrc instead of the project directory.

project directory has higher priority than the ~/.npmrc one.

You're also going to run into the issue with #2566

@MilosRasic
Copy link
Author

@aikar
Developers use a project-level .npmrc because they usually don't want to go through the private registry for all the projects they are working on. This is not tracked by the repos so that it doesn't override the CI .npmrc

Still, this is a good hint. I'll test again and check if the lockfile is what's causing the issue. Either way consider this a +1 for not locking the package url :)

@aikar
Copy link

aikar commented Nov 30, 2017

@MilosRasic oh I thought you meant the .npmrc was committed. If not then thats fine.

But when developers add packages, its going to write the registry they used.

Alternatively, you could update your CI Server to do a sed on the yarn.lock before running yarn install

@vytautas-pranskunas-
Copy link

vytautas-pranskunas- commented Jan 30, 2018
edited
Loading

Hi, any progress on this?

@fera2k
Copy link

fera2k commented Apr 11, 2018

Same problem here!

@drummy2
Copy link

drummy2 commented Jan 22, 2019

I might have had this problem where I got a 401 from the server even though my auth token was included in my .npmrc

I added always auth true to it by running this command

npm config set always-auth true

It now works and fetches packages.

@vileen
Copy link

vileen commented Jun 7, 2023

I might have had this problem where I got a 401 from the server even though my auth token was included in my .npmrc

I added always auth true to it by running this command

npm config set always-auth true

It now works and fetches packages.

for future reference: this is not a valid option anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bestander bestander

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@aikar @MilosRasic @bestander @fera2k @vytautas-pranskunas- @vileen @drummy2