Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm install resolved https with PAT as git+ssh #2631

Closed
koooge opened this issue Feb 5, 2021 · 5 comments
Closed

[BUG] npm install resolved https with PAT as git+ssh #2631

koooge opened this issue Feb 5, 2021 · 5 comments
Labels
Bug thing that needs fixing Priority 1 high priority issue Release 7.x work is associated with a specific npm 7 release

Comments

@koooge
Copy link

koooge commented Feb 5, 2021
edited
Loading

Hi there,

Current Behavior:

npm@7 install from https://github with PAT resolved as git+ssh://. Is this intended?

pacakge.json

"foo": "git+https://github.com/bar/baz.git",

package-lock.json

... 
  "resolved": "git+ssh://git@github.com/bar/baz.git#..."
...

Expected Behavior:

package-lock.json

... 
  "resolved": "git+https://github.com/bar/baz.git#..."
...

It's because I have some hacks to keep the PAT a secret. like:

git config --global url."https://${GITHUB_TOKEN}@github.com".insteadOf "https://github.com"

This hack worked in npm@6, but npm@7 didn't.

Steps To Reproduce:

1. Create a private repository of npm on GitHub
2. npm install above 1 with PAT. 
3. npm ci on another env with above GITHUB_TOKEN hack.  #=> error

Environment:

  • OS: macOS 11.2
  • Node: 14.15.4
  • npm: 7.5.2
@koooge koooge added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Feb 5, 2021
@morficus
Copy link

morficus commented Feb 6, 2021

Just spent an hour debugging this in my CI environment, just to finally relaize that npm-7 was the issue.

The reason this is a problem is because github seems to not allow cloning public repos using git+ssh with out a security key, it requieres it to be git+https

npm ERR! /usr/bin/git ls-remote -h -t ssh://git@github.com/morficus/serverless-plugin-split-stacks.git
npm ERR! 
npm ERR! git@github.com: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.

By npm-7 changing everything to git+ssh... this means that it is not possible to use direct GitHub repositories as dependencies in your package.json

@wraithgar
Copy link
Member

This was fixed in this pr npm/pacote#61 and went into the cli as of v7.4.3. Can you try explicitly using git+https? I don't know if that will solve it for sure but that's a good first step before we investigate this further.

@wraithgar wraithgar added Priority 1 high priority issue and removed Needs Triage needs review for next steps labels Feb 12, 2021
@themightychris
Copy link

I'm seeing this issue in vpm v7.5.4,

I can manually edit package-lock.json to replace the git+ssh refs with git+https and then npm ci works

But then every run of npm install incessantly edits package-lock.json to change node_modules/mymodule->resolved and mymodule->version back to git+ssh

NPM then executes ls-remote against it which fails in a CI environment with no github SSH key, and is immune to Git's normal URL rewriting :-(

@themightychris
Copy link

This and #2610 appear to be dupes

@wraithgar
Copy link
Member

Yes, with the added info it does appear to be a dupe.

@Jankyboy Jankyboy mentioned this issue Feb 18, 2021
Open
@thebpc thebpc mentioned this issue Feb 19, 2021
Open
@snyk-bot snyk-bot mentioned this issue May 10, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Priority 1 high priority issue Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wraithgar @themightychris @morficus @koooge and others