Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm pack fails for scoped package from private registry when it's not in the cache #2918

Closed
ablackrose opened this issue Mar 23, 2021 · 6 comments
Closed

[BUG] npm pack fails for scoped package from private registry when it's not in the cache #2918

ablackrose opened this issue Mar 23, 2021 · 6 comments
Assignees
@nlf
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release

Comments

@ablackrose
Copy link

Current Behavior:

Running npm pack @myregistry/some-package returns E404 when that package has not previously been installed with npm install.

The private registry requires an authToken, and regular installation and publish functions are working as expected.

Expected Behavior:

Package should be downloaded and an archive file created.

Steps To Reproduce:

Use a private npm registry (github, gitlab, etc) that requires token authorization.

If the package has been previously installed, clean the cache:

  • npm cache clean --force

Run the pack command:

  • npm pack @myregistry/some-package

Example output:

npm ERR! code E404
npm ERR! 404 Not Found - GET https://gitlab.com/api/v4/projects/1234xxxx/packages/npm/@myregistry/some-project/-/@myregistry/some-project-1.0.2.tgz
npm ERR! 404 
npm ERR! 404  'https://gitlab.com/api/v4/projects/1234xxxx/packages/npm/@myregistry/some-project/-/@myregistry/some-project-1.0.2.tgz' is not in the npm registry.
npm ERR! 404 This package name is not valid, because 
npm ERR! 404  1. name can only contain URL-friendly characters
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/user/.npm/_logs/2021-03-23T02_35_37_201Z-debug.log

Sanitized log:
2021-03-23T02_35_37_201Z-debug.log


However, if you install the package:

  • npm install @myregistry/some-package

running the same pack command again will have the expected behaviour:

  • npm pack @myregistry/some-package

Example output

npm notice 
npm notice 📦  @myregistry/some-package@1.0.2
npm notice === Tarball Contents === 
npm notice 1.6kB  README.md                         
...
npm notice 832B   package.json                      
npm notice === Tarball Details === 
npm notice name:          @myregistry/some-package                   
npm notice version:       1.0.2                                   
npm notice filename:      @myregistry/some-package-1.0.2.tgz         
npm notice package size:  22.6 kB                                 
npm notice unpacked size: 91.8 kB                                 
npm notice shasum:        2851cfea7d06a8a746746d64acbeaeb953651e8f
npm notice integrity:     sha512-t29sxLNx2Jh2x[...]VKbAzp/x+9XuA==
npm notice total files:   29                                      
npm notice 
myregistry-some-package-1.0.2.tgz

Environment:

  • Node: 14.15.5
  • npm: 7.6.3
@ablackrose ablackrose added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Mar 23, 2021
@ablackrose
Copy link
Author

ablackrose commented Mar 23, 2021
edited

I just tested this against npm version 6.14.11 and it worked as expected.

This issue appears in all the 7.x releases, so the workaround for now is to avoid npm 7.

@visglz
Copy link

visglz commented Apr 1, 2021

I can confirm the problem also with npm 7.7.6 and our internal artifactory (it doesn't occur with npm 6).

$ npm pack @myscope/mypkg
npm ERR! code E401
npm ERR! Incorrect or missing password.
npm ERR! If you were trying to login, change your password, create an
npm ERR! authentication token or enable two-factor authentication then
npm ERR! that means you likely typed your password in incorrectly.
npm ERR! Please try again, or recover your password at:
npm ERR!     https://www.npmjs.com/forgot
npm ERR! 
npm ERR! If you were doing some other operation then your saved credentials are
npm ERR! probably out of date. To correct this please try logging in again with:
npm ERR!     npm login

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/visglz/.npm/_logs/2021-04-01T08_25_53_045Z-debug.log

The problem is a missing authorization header. Most probably the root cause is the same as in #1960 where it has been fixed already by @nlf for npm install.

Here are the headers for npm install:

npm-in-ci:	false
user-agent:	npm/7.7.6 node/v14.15.1 linux x64
pacote-version:	11.3.1
pacote-req-type:	tarball
pacote-pkg-id:	remote:@myscope/mypkg@https://server/artifactory/api/npm/myrepo/@myscope/mypkg/-/@myscope/mypkg-1.1.0.tgz
pacote-integrity:	sha1-ihwScf9K3EXk8b2fhu1SWMTTGto=
npm-command:	install
authorization:	Basic xxxxx
connection:	keep-alive
Accept:	*/*
Host:	server

And here for npm pack:

npm-in-ci:	false
user-agent:	npm/7.7.6 node/v14.15.1 linux x64
pacote-version:	11.3.1
pacote-req-type:	tarball
pacote-pkg-id:	remote:https://server/artifactory/api/npm/myrepo/@myscope/mypkg/-/@myscope/mypkg-1.1.0.tgz
pacote-integrity:	sha1-ihwScf9K3EXk8b2fhu1SWMTTGto=
npm-command:	pack
connection:	keep-alive
Accept:	*/*
Host:	server

Note the missing "authorization: Basic xxxxx" at npm pack. BTW: We use basic authentication in our setup, instead of authtoken, but I think this doesn't matter.

For completeness, here is the npmrc:

cafile=/home/visglz/.npm_cafile.pem

@vector-shift:registry=https://server/artifactory/api/npm/myrepo/
//server/artifactory/api/npm/myrepo/:_password=xxxxx
//server/artifactory/api/npm/myrepo/:username=yyyyy
//server/artifactory/api/npm/myrepo/:email=email@example.com
//server/artifactory/api/npm/myrepo/:always-auth=true

For privacy reasons I redacted passwords, server URLs etc.

There are more issues like this for npmv7 which might be related to this:

#2884
#2508
#3004

@nlf nlf self-assigned this Apr 1, 2021
@nlf nlf removed the Needs Triage needs review for next steps label Apr 1, 2021
@nlf nlf mentioned this issue Apr 1, 2021
Closed
@visglz
Copy link

visglz commented Apr 26, 2021

@nlf Thanks for the quick fix! Is there any chance we can get the fix soon in a release? As far as I understand libnpmpack needs to be released first, right?

@Drilmo
Copy link

Drilmo commented Nov 4, 2021
edited

Hello,

I have same issue.

npm@6.14.13 ✔️

npm@7.18.1 ❌

npm@8.1.0 : ❌

is a fix planned ?

@cmawhorter cmawhorter mentioned this issue Feb 23, 2022
Closed
@nlf
Copy link
Contributor

nlf commented Apr 4, 2022

Closing due to age. If this is still a problem please feel free to reopen this issue, or create a new issue w/ steps to reproduce.

@nlf nlf closed this as completed Apr 4, 2022
@Drilmo
Copy link

Drilmo commented Apr 7, 2022

This probleme is still present in 8.5.5 :

To reproduce, on private repo, create package with scope like "@foo/bar" in version 1.0.0.

On a server that has never installed this package, try using the command "npm pack @foo/bar@1.0.0"

A 404 error occurs.

However, if you do "npm i @foo/bar@1.0.0" it works without error.

Then delete the node_modules directory, test the "npm pack @foo/bar@1.0.0" command again, it will work without error.

Before npm version 7, the command "npm pack @foo/bar@1.0.0" works directly, there is no need to do a "npm i" before (unnecessary)

@Drilmo Drilmo mentioned this issue Apr 7, 2022
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nlf nlf

Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: pass the scope option to pacote for auth purposes npm/libnpmpack
4 participants
@nlf @Drilmo @visglz @ablackrose