-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] GitHub org/name accesses fail #20
Comments
To rule out a bad local configuration, I also tried on a separate Ubuntu VM and the result is the same, but git asked for credentials: $ pacote resolve npm/cli
The authenticity of host 'github.com (140.82.118.4)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)? yes
{ Error: failed '/usr/bin/git ls-remote git+ssh://git@github.com/npm/cli.git'
... |
I'm very curious why npm can install packages from GitHub. Is it because it is using an older pacote (^9.5.9)? |
I confirm that after reverting to 9.5.9 I can access GitHub repos using So it must be an issue with 10.x. The next question would be why the tests did not catch it... |
The issue is that it's preferring git+ssh over git+https for all hosted repos. Fix coming shortly :) |
I noticed this when my tests in npm/arborist were buzzing my phone for a 2FA authorization to use my SSH keys :) SSH is better for private repos, since it's more straightforward for doing headless authentication with a key and doesn't require putting a basic auth in the url, but obviously not as good for public repos, which is the majority use case. Pacote 9 tries https, then falls back to ssh, which is what v10.1.6 does now as well. |
Since I'm not familiar with the implementation details, can you confirm that the behaviour now is fully similar to that of 9.x? I'm a bit concerned about 'Resolved url is still reported as the git+ssh url, for consistency.' Was it the same in 9.x? |
The resolved url always being saved as ssh is new. (In v9 it was less deterministic, varying if the original url was ssh or https.) But the fetch behavior is the same as v9 now, yes. |
Direct accesses to GitHub by short 'org/name' fail.
Access to the same repo with full URL seems ok for getting the manifest:
... but fails with the same error when trying to extract:
I wouldn't be surprised to find out that GitHub changed something in their configurations, but anyway it would be good to clarify the issue.
Thank you,
Liviu
The text was updated successfully, but these errors were encountered: