NPM Install yields 404s for packages with @ symbols

[randyaa]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

Installing any dependency that starts with @ fails with a 404 but any dependency that does not start with @ seems fine.

How can the CLI team reproduce the problem?

install node LTS (node 8.9.1, npm 5.5.1)

mkdir test
cd test
npm init
npm i @angular/core
npm i lodash

$ npm i @angular/core
npm ERR! code E404
npm ERR! 404 Not Found: @angular/core@latest

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\U0047811\AppData\Roaming\npm-cache\_logs\2017-11-27T21_18_44_504Z-debug.log

U0047811@U0047811-TPL-A MINGW64 /c/extras/code/gitlab/testit
$ npm i lodash
npm WARN testit@1.0.0 No description
npm WARN testit@1.0.0 No repository field.

+ lodash@4.17.4
updated 1 package in 12.047s

https://gist.github.com/randyaa/1de32dbc4c432469f9e4dc6f5c17b776

supporting information:

• npm -v prints: 5.5.1
• node -v prints: v8.9.1
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: windows (7)
• Network issues:
  • Geographic location where npm was run: (all of the following apply and none of them as i've tried under all network connecton types with no luck)
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container: N/A
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).

[nejclovrencic]

Having the same problem on macOS, since today morning. Worked fine yesterday. The same problem happens with yarn also, so it seems like a registry issue.

[nejclovrencic]

In npm logs I found that pacote package returns 404 for those packages. For example, this url works fine when opened in browser, but pacote still returns 404.

Looks like this is caused because of authorization header. If this header is removed, 200 OK is returned and installation works.

[randyaa]

Any idea how to remove the header during installation? Or what’s causing it?

[nejclovrencic]

No idea what's causing it. I manually edited source code of npm/yarn to not include authorization header on my machine.

[randyaa]

well... still seems like a bug but i have an auth token set in my .npmrc file that i use when pushing to a private registry. If i remove that token everything seems to work ok. So odd that this is only a problem for npm 5 and dependencies starting with @

[BenjaminVerble]

seeing this with npm 5.3.0 as well. only happens with scoped modules. I am also putting a token in the .npmrc

[iarna]

Could one of you share a (redacted) copy of your .npmrcs w/ the token entryes? Like this:

unsafe-perm=true
email=me@re-becca.org
browser=
init-author-name=Rebecca Turner
init-author-email=me@re-becca.org
init-author-url=http://re-becca.org/
sign-git-tag=true
send-metrics=true
//registry.npm.red/:_authToken=REDACTED
//registry.npmjs.org/:_authToken=REDACTED

So you can see that I have both a real registry token and a registry token for another registry (our staging environment).

[randyaa]

I just commented out the token line in mine as it wasn’t needed

…

On Dec 17, 2017, at 7:18 PM, Rebecca Turner ***@***.***> wrote: Could one of you share a (redacted) copy of your .npmrc's w/ the tokens? Like, mine looks like this: unsafe-perm=true ***@***.*** browser= init-author-name=Rebecca Turner ***@***.*** init-author-url=http://re-becca.org/ sign-git-tag=true send-metrics=true //registry.npm.red/:_authToken=REDACTED //registry.npmjs.org/:_authToken=REDACTED So you can see that I have both a real registry token and a registry token for another registry (our staging environment). — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[BenjaminVerble]

@iarna I figured out that my token was expired. what I haven't figured out yet is why, when I'm logged in, I can't use the npm token command. It doesn't show up when I'm logged in from the npm cli. The command is not recognized and it is not in the help list.

[iarna]

@BenjaminVerble If the npm token command isn't available it means that you're using a version prior to 5.5.0. Upgrade to latest (as of this writing,5.6.0) to get access to it.

[BenjaminVerble]

thanks @iarna . that explains the confusion

[dptoot]

Is this a duplicate of #17966? This is murdering us that publish to private repos but still require the ever increasing number of scoped packages (i.e. babel).

[imdevin567]

This is definitely a dupe of #17966 . I'm surprised this hasn't been resolved yet considering the increasing number of scoped packages and the number of people that need to use private repos.

I wouldn't mind taking a stab at fixing the url module in NodeJS (see this comment for details on this), but I'm interested to hear what everyone feels the right solution to this issue is. I personally think this is a registry bug, not a NodeJS bug. If an auth header is passed, it should be ignored if auth isn't required. I'm pretty sure that's code directly in registry.npmjs.org too, not in npm/registry. And if that's the case, we are at the whims of npmjs developers to resolve.

What does everyone else think? If the consensus points toward fixing the url module, I'll have a go at it.

[nejclovrencic]

@imdevin567 I agree that if auth header is passed and is not required, it should be ignored. Maybe node shouldn't treat every URL with @ as if it requires authentication, but in my opinion, this is a bug in npm registry.

[NicolasPelletier]

The code referenced at https://github.com/nodejs/node/blob/v8.2.1/lib/url.js#L828 calls the variable "authInHost".

Now, the "@" in the request here is not in the host name, is it ? According to an example somewhere, the URL looks like this: https://registry.npmjs.org/@angular%2fcore.

So, the "@" is after the host, in the path.

Now, it might be that the code in the url module of NodeJS is faulty and the result.host includes the path ( in which case, the bug might be in NodeJS ), or not, in which case the fault might be elsewhere. But I don't know enough ( in fact, I know nothing ) about the npm registry to comment.

[NicolasPelletier]

I tried setting an invalid _auth in my .npmrc and our internal npm registry ( which is Artifactory, not npm Entreprise ) did not return an error when attempting to install a package with a scoped name.

I went ahead and opened https://github.com/npm/registry/issues/272. Their README says ( emphasis mine ):

If you are having issues with the registry — a publish is too slow, or if you can't install a package you know exists — please open an issue here. If the topic is sensitive, please contact support.

So, I thought it was justified to open an issue there. Let's see what they say.

[vipinps13]

Please update your npm registry and try, It worked for me
"npm config set registry https://registry.npmjs.org"

[xgalen]

This is still happening to me in Ubuntu. I had trying to update everything but still does not work.

node -v   9.11.1
npm -v  5.8.0

We can't set the registry to https://registry.npmjs.org as @vipinps13 suggested because we also have a private registry, though that solution works.

[JosephIND]

anybody has a workaround for this?

[manojvignesh]

I had the same issues with scoped packages and private registry. As specified in this comment i removed the _auth=<token> line from my local .npmrc file and moved it to as part of line //registry.npmjs.org?authToken=xxxxxxxx. Then it started working

[champ2000]

Any update on this issue? We're seeing intermittently across developer and build machines

node -v 8.11.2
npm -v 5.6.0

.npmrc fille is already set up as per @manojvignesh comment above, also have tried @vipinps13 suggestion.

[woodev01]

People at my company are also seeing a regular 404. We have a private npme instance and any scoped package 404's unless we are on npm^4.