You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
2.4.2 features a (undocumented, as far as I can tell) call to the npm registry to check the version of the audit-ci package. This causes opaque errors when using a private npm registry.
Details
I recently ran into a surprising error in two different repos, both of which used audit-ci on version 2.4. These repositories are configured to use my company's private package registry, which requires authentication.
Running audit-ci in one case failed with this error
circleci@85c52d082288:~/project$ yarn test-audit
yarn run v1.21.1
$ node ./node_modules/.bin/audit-ci --config .audit-ci.json --pass-enoaudit
running general audit
{"type":"error","data":"Received invalid response from npm."}
Unexpected end of JSON input
Exiting...
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
And another proceeded just fine.
Adding --verbose to the yarn info command in this library's 2.4.2 version showed me that the last line was a 401 from our private package registry. 2.4.0 and 2.4.1 don't have that call to check the self-version of the library - it was added in this commit
Suggested fix
There's a couple of options
(my preference) Remove the yarn info call and establish this package's version via lookup of its package.json's version. This would mean users don't need to have authentication configured and would avoid a network call that (I think) can be avoided with a local filesystem lookup.
Mark 2.4.2 as deprecated and version bump this library to 2.5, with a note in the changelog that 2.5 requires user authentication. And maybe handle authentication errors?
The text was updated successfully, but these errors were encountered:
Summary of error
2.4.2 features a (undocumented, as far as I can tell) call to the npm registry to check the version of the
audit-ci
package. This causes opaque errors when using a private npm registry.Details
I recently ran into a surprising error in two different repos, both of which used
audit-ci
on version 2.4. These repositories are configured to use my company's private package registry, which requires authentication.Running
audit-ci
in one case failed with this errorAnd another proceeded just fine.
Adding
--verbose
to theyarn info
command in this library's 2.4.2 version showed me that the last line was a 401 from our private package registry. 2.4.0 and 2.4.1 don't have that call to check the self-version of the library - it was added in this commitSuggested fix
There's a couple of options
yarn info
call and establish this package's version via lookup of itspackage.json
's version. This would mean users don't need to have authentication configured and would avoid a network call that (I think) can be avoided with a local filesystem lookup.The text was updated successfully, but these errors were encountered: