NPM: Authentication with private registry fails with ERR_INVALID_AUTH

[rickardgranberg]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

9.5.1

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
registries:
npm-internal:
type: npm-registry
url: pkgs.dev.azure.com/org/project/_packaging/registry/npm/registry
token: ${{NPM_PAT}}
replaces-base: true
updates:
- package-ecosystem: 'npm'
directory: '/'
registries:
- npm-internal
schedule:
interval: 'weekly'

Updated dependency

No response

What you expected to see, versus what you actually saw

This problem started happening when using NPM version 8 or newer.

In our configuration, we're using Azure Artifacts as the only registry, with upstream feeds to npmjs et.al.
Our .npmrc looks like:

registry=https://pkgs.dev.azure.com/org/project/_packaging/registry/npm/registry/

always-auth=true

This also means that every package in package-lock.json will have the above registry as the resolved URL.
From what I can deduce by looking at the npmrc_builder.rb file in dependabot-core, this means that this registry will be classified as a global registry, see:

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

Line 84 in f9754d4

next true if dependency_urls.size.positive? && dependency_urls.all? do |url|

This in turn leads to this part of the code

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

Line 165 in f9754d4

initial_content +

creating the following .npmrc :

registry=https://pkgs.dev.azure.com/org/project/_packaging/registry/npm/registry/
_authToken=token
always-auth=true

This is a problem, because since NPM v8, all auth-related values need to be scoped, see: https://docs.npmjs.com/cli/v9/configuring-npm/npmrc?v=true#auth-related-configuration

A correct .npmrc needs to look like:

registry=https://pkgs.dev.azure.com/org/project/_packaging/registry/npm/registry/
//pkgs.dev.azure.com/org/project/_packaging/registry/npm/registry/:_authToken=token
always-auth=true

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[harti2006]

Running into the same issue, when using a single private registry in the .npmrc.

[thegoatherder]

I have the same issue with the same use case

[anatholiihoroshkojsk]

same here

[lvedder]

same here

[wssbck]

And here.

[deivid-rodriguez]

@rickardgranberg Nice research! I think all would be needed here would to disable the logic to detect a global registry to apply only when not using NPM >= v8? Could you try making that change and see if that works?

[deivid-rodriguez]

Actually, maybe scoping all auth related configurations is better, even if it's the global scope. I don't think that would break anything for other package managers.

[deivid-rodriguez]

I created a potential fix for this but I'm not able to validate it. I created a test feed with the same configuration reported here, and Dependabot is working just fine for me. I understand the theoretical issue explained, but I'm not able to recreate the conditions for it to trigger.

Can you show the logs of a broken update?

[harti2006]

I get those logs from our CI:

npm ERR! code ERR_INVALID_AUTH
npm ERR! Invalid auth configuration found: _auth must be renamed to //pkgs.dev.azure.com/mycompany/_packaging/mycompany/npm/registry/:_auth in project config
npm ERR! Please run npm config fix to repair your configuration.`

The content of the .npmrc file looks like:

registry=https://pkgs.dev.azure.com/mycompany/_packaging/mycompany/npm/registry/
always-auth=true

Does that help you?

[deivid-rodriguez]

Oh, that does help, let me do an additional check.

[deivid-rodriguez]

Nah, it insists on just working no matter what I do. I'm a bit lost here. I also tried to reproduce via https://github.com/dependabot/cli so that I can debug what .npmrc is being generated, etc, but I'm having trouble getting it to run against an azure private feed.

[deivid-rodriguez]

Is someone running into this on GitHub.com rather than on Azure Devops?

[harti2006]

I played a round with the Dependabot CLI as well, but it seems the yaml format doesn't allow me to provide a token for the git repository (that is also hosted in a private Azure space). Ideally I would just point it to a repo that I already checked out, but this also doesn't seem possible with the yaml format.

[deivid-rodriguez]

Did you try the --local <directory> flag? I suspect you may end up seeing the same issue I saw, but just in case that can give you a way forward.

In any case, I was just able to verify that #8453 indeed fixes the issue! 🎉

EDIT: In case it's useful to anyone, I needed to include a token: value under in the input YAML file to the CLI that's the base64 representation of the string <username>:<unencoded_pat>.

[deivid-rodriguez]

We've been looking for explanations to all this. The reason this does not happen in github.com is because in github.com the updater is never fed with any credentials. So the whole "add _auth info to the .npmrc file" logic does not apply here at all.

I was able though to use the CLI with an input file including this

  credentials-metadata:
  - type: npm_registry
    registry: <feed_url>
    replaces-base: true
    token: <base64representation-of-username:pat>

to simulate what goes on in Azure Devops in this issue reproduced exactly as reported, and gets fixed by #8453.

[deivid-rodriguez]

This fix is now deployed! Once this is picked up by https://github.com/tinglesoftware/dependabot-azure-devops, please do confirm that the issue is now gone 🙏.