Skip to content

[BUG] npm trust circleci ... fails with 400 with no message or explanation #9377

Open
Open
[BUG] npm trust circleci ... fails with 400 with no message or explanation#9377
Labels
Bugthing that needs fixingNeeds Triageneeds review for next steps
@jedwards1211

Description

@jedwards1211
jedwards1211
opened on May 20, 2026

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Why did a 400 response without any error message pass code review? 🤬

$ npm trust circleci @jcoreio/toolchain-typescript --org-id 00000000-0000-0000-0000-000000000000 --project-id 00000000-0000-0000-0000-000000000000 --pipeline-definition-id 00000000-0000-0000-0000-000000000000 --vcs-origin github/jcoreio/toolchains --context-id 00000000-0000-0000-0000-000000000000 --context-id 00000000-0000-0000-0000-000000000000

Establishing trust between @jcoreio/toolchain-typescript package and CircleCI
Anyone with CircleCI pipeline write access can publish to @jcoreio/toolchain-typescript
Two-factor authentication is required for this operation

package: @jcoreio/toolchain-typescript
orgId: 00000000-0000-0000-0000-000000000000
projectId: 00000000-0000-0000-0000-000000000000
pipelineDefinitionId: 00000000-0000-0000-0000-000000000000
vcsOrigin: github/jcoreio/toolchains
contextIds: 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000

https://www.npmjs.com/package/@jcoreio/toolchain-typescript
https://github/jcoreio/toolchains

Do you want to proceed? (y/N) (n) y
npm error code E400
npm error 400 Bad Request - POST https://registry.npmjs.org/-/package/@jcoreio%2ftoolchain-typescript/trust
npm error A complete log of this run can be found in: /Users/andy/.npm/_logs/2026-05-20T16_12_30_563Z-debug-0.log
Command failed with exit code 1: npm trust circleci @jcoreio/toolchain-typescript --org-id 00000000-0000-0000-0000-000000000000 --project-id 00000000-0000-0000-0000-000000000000 --pipeline-definition-id 00000000-0000-0000-0000-000000000000 --vcs-origin github/jcoreio/toolchains --context-id 00000000-0000-0000-0000-000000000000 --context-id 00000000-0000-0000-0000-000000000000

Expected Behavior

prompts me for 2fa and succeeds

Steps To Reproduce

Can't just give you a repro because this is my sensitive CircleCI environment. I can provide the CircleCI UUIDs I was using upon request.

Environment

  • npm: 11.14.1
  • Node.js: 26.2.0
  • OS Name: macOS
  • System Model Name: MacBook Pro
  • npm config:
; copy and paste output from `npm config ls` here
npm warn config optional Use `--omit=optional` to exclude optional dependencies, or
npm warn config `--include=optional` to include them.
npm warn config
npm warn config       Default value does install optional deps unless otherwise omitted.
npm warn Unknown user config "hoist". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
; "user" config from /Users/andy/.npmrc

//jcore-052972125574.d.codeartifact.us-west-2.amazonaws.com/npm/deploy-historian-dbs/:_authToken = (protected)
//registry.npmjs.org/:_authToken = (protected)
hoist = true
registry = "https://registry.npmjs.org/"

; "project" config from /Users/andy/gh/toolchains/.npmrc

include = []
omit = ["optional"]
optional = false

; node bin location = /Users/andy/.nvm/versions/node/v26.2.0/bin/node
; node version = v26.2.0
; npm local prefix = /Users/andy/gh/toolchains
; npm version = 11.14.1
; cwd = /Users/andy/gh/toolchains
; HOME = /Users/andy
; Run `npm config ls -l` to show all defaults

log output

0 verbose cli /Users/andy/.nvm/versions/node/v26.2.0/bin/node /Users/andy/.nvm/versions/node/v26.2.0/bin/npm
1 info using npm@11.14.1
2 info using node@v26.2.0
3 silly config load:file:/Users/andy/.nvm/versions/node/v26.2.0/lib/node_modules/npm/npmrc
4 silly config load:file:/Users/andy/gh/toolchains/.npmrc
5 warn config optional Use `--omit=optional` to exclude optional dependencies, or
5 warn config `--include=optional` to include them.
5 warn config
5 warn config       Default value does install optional deps unless otherwise omitted.
6 silly config load:file:/Users/andy/.npmrc
7 silly config load:file:/Users/andy/.nvm/versions/node/v26.2.0/etc/npmrc
8 verbose title npm trust circleci @jcoreio/toolchain-typescript *** *** *** github/jcoreio/toolchains *** ***
9 verbose argv "trust" "circleci" "@jcoreio/toolchain-typescript" "--org-id" "***" "--project-id" "***" "--pipeline-definition-id" "***" "--vcs-origin" "github/jcoreio/toolchains" "--context-id" "***" "--context-id" "***"
10 verbose logfile logs-max:10 dir:/Users/andy/.npm/_logs/2026-05-20T16_17_25_368Z-
11 verbose logfile /Users/andy/.npm/_logs/2026-05-20T16_17_25_368Z-debug-0.log
12 silly logfile start cleaning logs, removing 1 files
13 silly logfile done cleaning log files
14 warn Unknown user config "hoist". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
15 http fetch POST 400 https://registry.npmjs.org/-/package/@jcoreio%2ftoolchain-typescript/trust 398ms
16 silly timing Tried to end timer that doesn't exist: command:trust:circleci
17 verbose stack HttpErrorGeneral: 400 Bad Request - POST https://registry.npmjs.org/-/package/@jcoreio%2ftoolchain-typescript/trust
17 verbose stack     at /Users/andy/.nvm/versions/node/v26.2.0/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:103:15
17 verbose stack     at process.processTicksAndRejections (node:internal/process/task_queues:104:5)
17 verbose stack     at async otplease (/Users/andy/.nvm/versions/node/v26.2.0/lib/node_modules/npm/lib/utils/auth.js:8:12)
17 verbose stack     at async TrustCircleCI.createConfigCommand (/Users/andy/.nvm/versions/node/v26.2.0/lib/node_modules/npm/lib/trust-cmd.js:181:22)
17 verbose stack     at async TrustCircleCI.exec (/Users/andy/.nvm/versions/node/v26.2.0/lib/node_modules/npm/lib/commands/trust/circleci.js:172:5)
17 verbose stack     at async Npm.exec (/Users/andy/.nvm/versions/node/v26.2.0/lib/node_modules/npm/lib/npm.js:193:9)
17 verbose stack     at async module.exports (/Users/andy/.nvm/versions/node/v26.2.0/lib/node_modules/npm/lib/cli/entry.js:67:5)
18 verbose statusCode 400
19 error code E400
20 error 400 Bad Request - POST https://registry.npmjs.org/-/package/@jcoreio%2ftoolchain-typescript/trust
21 verbose cwd /Users/andy/gh/toolchains
22 verbose os Darwin 25.0.0
23 verbose node v26.2.0
24 verbose npm  v11.14.1
25 verbose exit 1
26 verbose code 1
27 error A complete log of this run can be found in: /Users/andy/.npm/_logs/2026-05-20T16_17_25_368Z-debug-0.log

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions