Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yarn does not honor authentication settings in .npmrc #4451

Closed
carlosduclos opened this issue Sep 14, 2017 · 100 comments · May be fixed by #7604
Closed

yarn does not honor authentication settings in .npmrc #4451

carlosduclos opened this issue Sep 14, 2017 · 100 comments · May be fixed by #7604
Labels
cat-bug fixed-in-modern This issue has been fixed / implemented in Yarn 2+. help wanted

Comments

@carlosduclos
Copy link

Do you want to request a feature or report a bug?
BUG
What is the current behavior?
Yarn does not honor .npmrc
If the current behavior is a bug, please provide the steps to reproduce.
We require authentication for one of our repositories and we used to do this by specifying the authentication in .npmrc. This worked up to 0.28.4 but broke in 1.0.0

What is the expected behavior?
Honoring the authentication settings in .npmrc

Please mention your node.js, yarn and operating system version.
It happens after upgrading yarn to 1.0.0/1.0.1 (have tried both versions). Regardless of OS and nodejs version.

@BYK
Copy link
Member

BYK commented Sep 14, 2017

This should be fixed in 1.0.2 which was released yesterday. Can you give it a spin?

@beardedtim
Copy link

@BYK I am experiencing the same issues as above and as mentioned at the end of #4157 . I tried running 1.0.2 and failed with 404. Running on 0.27.5 works as expected.

@KidkArolis
Copy link
Contributor

Could you paste your npmrc file here so we could try to reproduce (obviously edit out secrets or other private info)

@beardedtim
Copy link

@KidkArolis while trying to get my working dir as clean as possible, it somehow fixed the issue? 🙃

Steps I took:

  • Delete yarn.lock and any yarn-error.log files
  • Delete node_modules/
  • brew link yarn and yarn --version to ensure I was at 1.0.2
  • yarn

That seems to have worked. I am going to chalk this up as a user error on mine and my team's end.

@stieg
Copy link

stieg commented Sep 15, 2017

@beardedtim What about if you now blow away node_modules but keep yarn.lock and then run yarn install? Does it all work then? This is in part what #4157 tracks but may be related to the larger issue at hand?

@kmoe
Copy link

kmoe commented Sep 18, 2017

I am experiencing this issue (404 on private scoped repo, whichever registry I use) for yarn versions 1.0.1, and 1.0.2. Version 0.27.5 worked after clearing some artifacts.

I have tried all the workarounds discussed in #4157. Happy to post logs if it will help.

@beardedtim
Copy link

beardedtim commented Sep 18, 2017

@stieg I will try that later today when I get a free moment around lunch and post results. I believe I still got the 404 error but I've tried so many things at this point, who knows!

@solkaz
Copy link
Contributor

solkaz commented Sep 19, 2017

Has anyone found a solution to this?

@perlun
Copy link
Contributor

perlun commented Sep 21, 2017

FWIW: I tried with:

  • Wiping my node_modules
  • Wiping ~/.yarn
  • curl -o- -L https://yarnpkg.com/install.sh | bash to reinstall yarn 1.0.2
  • yarn install - no errors, it installed everything flawlessly.

My ~/.yarnrc:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://registry.npmjs.org"
email some-email@acme.com
lastUpdateCheck 1505977814820
username some-user

And my ~/.npmrc:

//registry.npmjs.org/:_authToken=a-valid-uuid

The yarn.lock references look like this in my particular case:

  resolved "https://registry.npmjs.org/@acme/some-module/-/some-module-0.1.1.tgz#valid-git-sha"

@solkaz
Copy link
Contributor

solkaz commented Sep 21, 2017

Interesting. After putting the registry in my .yarnrc file, I was able to install my packages. However, I removed it to check if that was the culprit, and it still was successful (I deleted my cache so Yarn had to download it, and it managed to do so correctly).

@perlun
Copy link
Contributor

perlun commented Sep 21, 2017

I tried on a fresh install (Debian this time, the other was macOS) and having these settings in ~/.npmrc and ~/.yarnrc worked equally well there. (Note: I did not try npm login or yarn login.)

@BYK
Copy link
Member

BYK commented Sep 22, 2017

Closing as people reporting this was resolved. Reopen with concrete reproduction steps if it is not resolved for you @carlosduclos please.

@BYK BYK closed this as completed Sep 22, 2017
@paraboom
Copy link

paraboom commented Sep 25, 2017

@BYK I had the same problem.
I used the clean install of the latest yarn version.
And it starts working after I added registry "https://registry.npmjs.org" to ~/.yarnrc.
I think it's a bug and it should be solved automatically, not manually, as we did.

@kmoe
Copy link

kmoe commented Sep 25, 2017

@BYK It may help to note that everyone who has "reported as resolved" has used the workaround of forcing yarn to use the https://registry.npmjs.org registry.

I think there is still a problem retrieving private packages from the https://registry.yarnpkg.com registry, however, and this is the default registry used by yarn (is it still just a reverse proxy? perhaps it's not honouring auth headers?).

Concrete reproduction steps

  1. Delete/move your .npmrc and .yarnrc files so yarn is using the default config.
  2. Locate a package published privately to the npm registry.
    1a. If you have downloaded/published it from the same machine you are testing yarn from, clear the npm and yarn caches.
  3. Run npm login or yarn login to populate the auth token.
  4. Using any yarn version after 0.27.5, try to install this package.
Expected results

Package installs successfully.

Actual results
❤ @up ➜  REPO git:(master) ★ yarn add @SCOPE/PACKAGE 
yarn add v1.1.0
info No lockfile found.
[1/5] Validating package.json...
[2/5] Resolving packages...
error An unexpected error occurred: "https://registry.npmjs.org/@SCOPE%2fPACKAGE: Not found".
info If you think this is a bug, please open a bug report with the information provided in "/home/katy/dev/REPO/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

@awkaiser
Copy link

If project maintainers find @kmoe's instructions to be reproducible, this ticket should be reopened (at least for the sake of existing subscribers).

@perlun
Copy link
Contributor

perlun commented Sep 26, 2017

I agree with @kmoe, the underlying issue is not fixed even in recent versions of yarn. Please reopen the issue. Yes, we have a workaround, but workaround != solution in this case.

@perlun
Copy link
Contributor

perlun commented Oct 30, 2017

FWIW, this is still a problem in 1.1.0. I just verified it (came back here for the workaround, namely registry "https://registry.npmjs.org" being added to ~/.yarnrc)

@stewx
Copy link

stewx commented Nov 22, 2017

I am having this problem in yarn 1.3.2 and it is breaking our builds right now. It worked fine on yarn 0.27.5.

We require an auth token from the .npmrc file to install packages from our Artifactory private registry.

Reproduction steps:

  1. Have an .npmrc file with authentication info in it like:
registry=https://artifactory.mycompany.com/artifactory/api/npm/npm-virtual
_auth = myAuthTokenHere
always-auth = true
email = me@mycompany.com
  1. Run yarn install
  2. Get HTTP 401 error when yarn is trying to install stuff from the private registry:
error An unexpected error occurred: "https://artifactory.mycompany.com/api/npm/npm-virtual/@angular/compiler/-/compiler-4.3.1.tgz: Request failed \"401 Unauthorized\"".

@stewx
Copy link

stewx commented Nov 22, 2017

Related: #4672

@jamesone
Copy link

jamesone commented Jan 3, 2018

@stewx I'm also having the same problem on 1.3.2. Did you find a fix or a way around it?

@stewx
Copy link

stewx commented Jan 4, 2018

@jamesone Nope, I downgraded to something like 0.27. It's a deal-breaker for our project.

@Bnaya
Copy link

Bnaya commented Jan 4, 2018

@stewx @jamesone
Add registry "https://registry.npmjs.org" in your .yarnrc and reinstall the private packages
It will tell yarn to work directly with npmjs registry and it will solve the issue

@awkaiser
Copy link

awkaiser commented Jan 4, 2018

It feels so wrong to version lock at 0.27.5 just to circumvent this one issue, but it seems like many are doing just that or redirecting registry config (although @stewx is reporting that does not solve for self-hosted private registries).

If frequent project contributors don't have time to fix this in the short term, would somebody be willing to suggest codebase location(s) where a fix is most likely to succeed, in the hopes that a community PR will be opened? 🤔

/cc @kittens @bestander @BYK @arcanis @rally25rs @kaylieEB

@TheLudd
Copy link

TheLudd commented Jan 4, 2018

@Bnaya When you say reinstall, do you mean remove node_modules in your project or clear yarn cache?

@Bnaya
Copy link

Bnaya commented Jan 4, 2018

yarn remove yourprivatepackage; yarn add yourprivatepackage

And in the lock file you will see https://registry.npmjs.org/*** url and not https://registry.yarnpkg ***

I would suggest adding the .yarnrc next to your package.json

@liana-p
Copy link

liana-p commented Mar 18, 2020

Happening to me too, I was hoping I could get it to work with only .npmrc, but it only works when adding .yarnrc, so we have to duplicate the config just for yarn.

@kalbert312
Copy link

I think this is what I'm running into. It works when .npmrc is in the home directory, but not in the project directory (needed for jenkins/travis).
#8034

@cyrus-za
Copy link

cyrus-za commented Apr 3, 2020

This solved it for me: #4451 (comment)

@4r7d3c0
Copy link

4r7d3c0 commented Apr 8, 2020

Make sure you don't have /name after the registry when setting the scoped one:

- @4r7d3c0:registry=https://npm.pkg.github.com/4r7d3c0
+ @4r7d3c0:registry=https://npm.pkg.github.com

As per doc, registry=https://npm.pkg.github.com/OWNER, I overlooked that the owner doesn't need to be there when setting the scope. NPM could handle it, but yarn couldn't.

@alexk111
Copy link

alexk111 commented Jun 6, 2020

For those who use aliases check this workaround: #8130 (comment)

@dvdotsenko
Copy link

dvdotsenko commented Jul 5, 2020

Had to split user-level .npmrc and project-level .npmrc to make yarn respect GitHub package tokens. Moving named registry declarations from user-level to project-level was the key

Contents of ~/.npmrc

_auth=#####TOKEN_FOR_ARTIFACTORY#####
always-auth=true
registry=https://artifactory.mycompany.net/artifactory/api/npm/npm/
//npm.pkg.github.com/:_authToken=####GitHub_NPM_REGISTRY_TOKEN#####

Contents of ~/projects/blah/.npmrc

@mycompany:registry=https://npm.pkg.github.com

Until i moved the ^ named family package registry entry to project-level .npmrc, yarn install was giving me 401 (for GH-hosted packages under @mycompany). Now it does not.

For Docker build mount them separately:

base.Dockerfile:

# syntax=docker/dockerfile:1-experimental
## ^ need to enable --mount=type=secret support

ARG BASE_IMAGE
FROM ${BASE_IMAGE} as build

# note that only project-level .npmrc is copied
COPY package.json yarn.lock .npmrc ./

# ~/.npmrc with actual secrets is mounted as "secret" (does not stay in image)
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc,required \
    yarn install --production --frozen-lockfile ...

Docker build command:

DOCKER_BUILDKIT=1 docker build \
		--build-arg BASE_IMAGE=$(BASE_IMAGE) \
 		--secret id=npmrc,src="$(HOME)/.npmrc" \
		-t $(IMAGE_NAME):$(IMAGE_TAG) \
		-f base.Dockerfile .

(Note, that i did NOT need .yarnrc for this to work, but i am on yarn 1.17.3 so things may be different for other versions)

@viceice
Copy link
Contributor

viceice commented Aug 25, 2020

I've digged a little bit arround and it seems yarn uses the wrong auth credentials.

~/.npmrc

//npm-old.visualon.de/npm/vo-npm/:_password=XXXXXX
//npm-old.visualon.de/npm/vo-npm/:username=kriese
//npm-old.visualon.de/npm/vo-npm/:always-auth=true

//npm-new.visualon.de/:_authToken="XXXXXX"

package.json

{
  "name": "yarn-auth",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "tslib": "^2.0.1",
    "moment": "2.20.1"
  }
}

yarn.lock

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


moment@2.20.1:
  version "2.20.1"
  resolved "https://npm-old.visualon.de/npm/vo-npm/moment/-/moment-2.20.1.tgz#d6eb1a46cbcc14a2b2f9434112c1ff8907f313fd"
  integrity sha1-1usaRsvMFKKy+UNBEsH/iQfzE/0=

tslib@^2.0.1:
  version "2.0.1"
  resolved "https://npm-new.visualon.de/tslib/-/tslib-2.0.1.tgz#410eb0d113e5b6356490eec749603725b021b43e"
  integrity sha512-SgIkNheinmEBgx1IUNirK0TUD4X9yjjBRTqqjggWCU3pUEqIk3/Uwl3yRixYKT6WjQuGiwDv4NomL3wqRCj+CQ==

While trying to install yarn sends the bearer token from npm-new.visualon.de to npm-old.visualon.de. So it semms yarn only compares the base domain.

@msolovyov
Copy link

msolovyov commented Oct 15, 2020

If anyone still faces it, this is what worked for me.

.npmrc:
always-auth=true
@orgaccount:registry=https://npm.pkg.github.com
registry=https://registry.yarnpkg.com

https://npm.pkg.github.com/:_authToken=yyyyjjjjj3333888etc

@BenteleFlorian
Copy link

Not sure if anyone faces a similar problem, but maybe this will help someone save a bit of time:

I am using Azure Artifacts as a private registry and had set up the PAT and .npmrc files as documented there.
Nevertheless, I was running into the same issue that npm install was working perfectly, but yarn install runs into the 401 Error all the time.
After a bit of try and error It turned out the I had a special character in my Registry URL (...@Local/...) but Azure Artifacts resolves this to the Unicode representation within their setup guide. npm handles this just fine, yarn not so much. Setting the actual @ character in the URL, solved my problem.

@Yuri6037
Copy link

Yarn is really a weird tool: Found another bug with the same kind of issues. I think I know why is yarn so bugged with custom package registries.

I successfully got yarn to download and install properly any private package from a gitlab private registry. To do it you need to specify absolutely ALL redirections with the same token! Yarn is unable to infer the token based on the base address. It infers tokens based on the FULL address - the package name.

Example:

Won't work cause when downloading package the client is redirected to //gitlab.xxxx.yyy/api/v4/projects/z/packages/npm/ but here is the problem the other address is not exactly matched in the rc file

always-auth=true
//gitlab.xxxx.yyy/api/v4/packages/npm/:_authToken=whatever

@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm/

Will work; now all addresses are explicitely using the same token

always-auth=true
//gitlab.xxxx.yyy/api/v4/packages/npm/:_authToken=whatever
//gitlab.xxxx.yyy/api/v4/projects/z/packages/npm/:_authToken=whatever

@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm/

@viceice
Copy link
Contributor

viceice commented Dec 16, 2020

I've seen this too, yarn only supports one auth per domain 😕

@royi-frontegg
Copy link

This is still an issue...
everything worked up great for me in bitbucket pipelines. Then one day the pipeline broke and we're stuck

@arcanis
Copy link
Member

arcanis commented Jan 3, 2021

This behavior won't be changed in the 1.x line. Starting from 2.x, Yarn now exclusively reads from the .yarnrc.yml file, never from .npmrc. It also supports different tokens for different urls.

https://yarnpkg.com/getting-started/migration

@arcanis arcanis closed this as completed Jan 3, 2021
@arcanis arcanis added the fixed-in-modern This issue has been fixed / implemented in Yarn 2+. label Jan 3, 2021
@uvirk
Copy link

uvirk commented Jan 3, 2021

@arcanis I appreciate you closing this - but I have a similar error when using Yarn 2 and .yarnrc.yml with a private Azure Artifacts repo.

If you set

yarnPath: ".yarn/releases/yarn-berry.cjs"
npmScopes:
      <companyname>:
        npmPublishRegistry: https://pkgs.dev.azure.com/<companyname>/_packaging/<companyname>/npm/registry/
        npmRegistryServer: https://pkgs.dev.azure.com/<companyname>/_packaging/<companyname>/npm/registry/
        npmAlwaysAuth: true
        npmAuthIdent: 'base64(<companyname>:<auth-token-taken-from-user-npmrc-file>)'
nodeLinker: node-modules

I continue to receive this error:

➤ YN0001: │ HTTPError: @:@npm:1.3.0: Response code 405 (Method Not Allowed)
at se. (C:\Source\Repos<companyname>\web.yarn\releases\yarn-berry.cjs:23:10082)
at runMicrotasks ()
at processTicksAndRejections (internal/process/task_queues.js:94:5)

Do you have any ideas associated?

I have followed the steps highlighted in yarnpkg/berry#316 to no avail.

@uvirk
Copy link

uvirk commented Jan 15, 2021

@arcanis any update on this error? Your help is greatly appreciated!

@merceyz
Copy link
Member

merceyz commented Jan 15, 2021

Try commenting on the V2 issue so that people using Azure Artifacts there can help

@mscottx88
Copy link

@BenteleFlorian your suggestion was the answer here. Those ADO setup tips still encode @ as %40. If you see %40 in your URL, change it to @ and yarn install worked for us with just .npmrc file.

Before

https://pkgs.dev.azure.com/foo/_packaging/bar%40Local/npm/registry/

After

https://pkgs.dev.azure.com/foo/_packaging/bar@Local/npm/registry/

@slhck
Copy link

slhck commented Nov 24, 2021

Came here with the same issue on a private Verdaccio registry, none of this solved it.

Found a solution and wrote it up here: #6405 (comment)

Basically, make sure that no auth token for registry.npmjs.org is in your global ~/.npmrc.

@Diluka
Copy link

Diluka commented Feb 10, 2022

  • if no cache and no lock, the yarn install will success.
  • if no cache and has lock, will failed
  • if has cache and has lock, will success

yarn only use token from .npmrc for the first time

@angel-git
Copy link

  • if no cache and no lock, the yarn install will success.
  • if no cache and has lock, will failed
  • if has cache and has lock, will success

I have this exact case, if i try to build with no yarn.lock, works fine if i use the yarn.lock it fails

@Diluka you had any luck on fixing this?

@Diluka
Copy link

Diluka commented Dec 2, 2022

  • if no cache and no lock, the yarn install will success.
  • if no cache and has lock, will failed
  • if has cache and has lock, will success

I have this exact case, if i try to build with no yarn.lock, works fine if i use the yarn.lock it fails

@Diluka you had any luck on fixing this?

This problem is the token not stored in lock file. And it will use only the url stored in lock file to download packages. So I do this in Dockerfile...

ADD .npmrc .

RUN yarn add private_package_1@x.y.z
RUN yarn add private_package_2@x.y.z

ADD package.json .
ADD yarn.lock .

RUN yarn

@meet-freetrade
Copy link

meet-freetrade commented Jan 30, 2024

In .npmrc file add below

//npm.pkg.github.com/:_authToken=your_token
//registry.yarnpkg.com/:_authToken=your_token

Will work in every case

@tekhedd
Copy link

tekhedd commented Jun 17, 2024

I successfully got yarn to download and install properly any private package from a gitlab private registry. To do it you need to specify absolutely ALL redirections with the same token! Yarn is unable to infer the token based on the base address. It infers tokens based on the FULL address - the package name.

THIS WORKS (QFE, because it's actually the solution)

always-auth=true
//gitlab.xxxx.yyy/api/v4/packages/npm/:_authToken=whatever

@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm/

I have reproduced this behavior. Note that leaving out the trailing slashwill also cause a 401 auth fail.

THIS DOES NOT WORK FOR ME:

//gitlab.xxxx.yyy/api/v4/packages/npm:_authToken=whatever
@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm

Maybe this is documented behavior? I'm not an expert! :) The _authToken line and the registry line must match exactly and have a trailing slash. I missed this solution because when I tried it, I did not use a trailing slash. (A trailing slash is not necessary for other functionality to work, so it never occurred to me this could be a problem with auth.)

This is with yarn 1.22.

In unrelated news:

Note that recent versions of NPM will loudly complain if _authToken is specified globally and not with a domain. This will cause some packages to fail to install, and is correct behavior. However, most of the online advice for working around this issue suggest using a bare _authToken= in .npmrc, which yarn still accepts. Then, later, one of my packages will error out because it's not actually a valid .npmrc. So... I thought I would mention that here next to the rest of the code that works for me for searching. I think it is likely people will migrate to yarn 2 and this behavior will not be updated, so... THIS. :)

YARN ACCEPTS THIS BUT NPM NO LONGER DOES, WHICH BREAKS PACKAGES:

always-auth=true
_authToken=whatever
@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm

(Props to Yuri6037. You made my week.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cat-bug fixed-in-modern This issue has been fixed / implemented in Yarn 2+. help wanted
Projects
None yet
Development

Successfully merging a pull request may close this issue.