[BUG] npm install alias@npm:@scoped/package fails for private registries

[prasannamestha]

Current Behavior:

If we try to install a scoped package with alias name, it fails. But if we directly install the scoped package it succeeds.

Expected Behavior:

Installing packages with alias names should succeed when you try it for the first time

Steps To Reproduce:

Add the following to npmrc:

@scoped:registry=https://privateregistryurl
//privateregistryurl/:_authToken=<private-token>

Then try installing this scoped package via package name alias:

$ npm install alias@npm:@scoped/package

This doesn't send the auth headers and causes the installation to fail.

Weirdly, if you install without the package name alias once, then the installation succeeds:

$ npm install @scoped/package
$ npm install alias@npm:@scoped/package                                                  <-- this command also succeeds due to the previoous command. I suspect it could be due to NPM cache.

Environment:

I am running on NPM v7.6.0

[prasannamestha]

Drooping a comment for exposure. Can anybody please look into this?

[Coderx64]

faced with the same issue
node -v v15.12.0
npm -v 7.6.3

.npmrc contains

@foo:registry=http://nexus.private.bar/repository/myown-npm-test/
always-auth=true
//nexus.private.bar/repository/npm-registry/:_authToken=NpmToken.{TOKEN}

trying to install something from private repo

npm i @foo/somepackage
npm ERR! code E401
npm ERR! Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"

HTTP request sent without auth headers

GET /repository/myown-npm-test/@foo%2somepackage HTTP/1.1
npm-in-ci: false
user-agent: npm/7.6.3 node/v15.12.0 linux x64
pacote-version: 11.3.0
pacote-req-type: packument
pacote-pkg-id: registry:@foo/somepackage
accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, /
npm-session: 6b8694bca1b3d851
npm-command: i
connection: keep-alive
Accept-Encoding: gzip,deflate
Host: nexus.private.bar

but i will try try to install not scoped packages auth headers is present in HTTP request
just add registry=http://nexus.private.bar/repository/npm-registry/ to .npmrc
npm i somepackage

GET /repository/npm-registry/somepackage HTTP/1.1
npm-in-ci: false
user-agent: npm/7.6.3 node/v15.12.0 linux x64
pacote-version: 11.3.0
pacote-req-type: packument
pacote-pkg-id: registry:somepackage
accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, /
npm-session: df8eae419c656128
npm-command: i
authorization: Bearer NpmToken.{TOKEN}
connection: keep-alive
Accept-Encoding: gzip,deflate
Host: nexus.private.bar

[Coderx64]

fixed by change auth key from repository/npm-registry/ to repository/myown-npm-test/
Excuse for troubling

[prasannamestha]

fixed by change auth key from repository/npm-registry/ to repository/myown-npm-test/

Run $ npm cache clean and you'll face the same problem again. The only reason you're able to install the second time is due to cache.

[darcyclarke]

Investigating this on our end; Prioritizing accordingly

[ibarisic05]

Are there any progress on this? We also have same issue. It works with npm 6 version, but npm 7.x.x is not working for us.

[kevitan]

tried with:

node: 12.19.1
npm: 6.14.8

also tried:

node: 16.13.0
npm: 8.1.0

both have this issue :(

[nlf]

can you folks try this in the latest npm@8.5.5? i wasn't able to reproduce this one

[nlf]

Closing due to age. If this is still a problem please feel free to reopen this issue, or create a new issue w/ steps to reproduce.

[kevitan]

I'm back! Unfortunately I don't remember what workaround I used last time, but it appears i've run into the same issue, both on NPM 8.19 and NPM 9.4.

as mentioned above, .npmrc is:
@scope:registry=https://my.scope.registry.io/
//my.scope.registry.io/:_authToken=

in package.json, I have:

"dependencies": {
  "aliased": "npm:@scope/my-package@^1.0.1"
}

and when I run npm i, I still am getting that same 404

npm ERR! code E404
npm ERR! 404 Not Found - GET https://my.scope.registry.io/@scope/my-package 1.0.1.tgz
npm ERR! 404
npm ERR! 404  'aliased@https://my.scope.registry.io/@scope/my-package-1.0.1.tgz' is not in this registry.
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

strangely enough, if I remove the aliased reference in the package.json it installs with no issue. Then, if I then put the alias back into the package.json, there no longer is an error.