Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] GitHub org/name accesses fail #20

Closed
ilg-ul opened this issue Nov 20, 2019 · 7 comments
Closed

[BUG] GitHub org/name accesses fail #20

ilg-ul opened this issue Nov 20, 2019 · 7 comments

Comments

@ilg-ul
Copy link

ilg-ul commented Nov 20, 2019
edited

Direct accesses to GitHub by short 'org/name' fail.

$ pacote -h
Pacote - The JavaScript Package Handler, v10.1.3
...
$ pacote manifest npm/cli
Error: failed '/usr/bin/git ls-remote git+ssh://git@github.com/npm/cli.git'
    at ChildProcess.<anonymous> (/Users/ilg/.nvm/versions/node/v12.13.0/lib/node_modules/pacote/lib/util/spawn.js:21:43)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Socket.<anonymous> (internal/child_process.js:430:11)
    at Socket.emit (events.js:210:5)
    at Pipe.<anonymous> (net.js:658:12) {
  cmd: '/usr/bin/git',
  args: [ 'ls-remote', 'git+ssh://git@github.com/npm/cli.git' ],
  code: 128,
  signal: null,
  stdout: '',
  stderr: 'git@github.com: Permission denied (publickey).\r\n' +
    'fatal: Could not read from remote repository.\n' +
    '\n' +
    'Please make sure you have the correct access rights\n' +
    'and the repository exists.\n'
}
$ pacote manifest github:npm/cli
Error: failed '/usr/bin/git ls-remote git+ssh://git@github.com/npm/cli.git'
    at ChildProcess.<anonymous> (/Users/ilg/.nvm/versions/node/v12.13.0/lib/node_modules/pacote/lib/util/spawn.js:21:43)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Socket.<anonymous> (internal/child_process.js:430:11)
    at Socket.emit (events.js:210:5)
    at Pipe.<anonymous> (net.js:658:12) {
  cmd: '/usr/bin/git',
  args: [ 'ls-remote', 'git+ssh://git@github.com/npm/cli.git' ],
  code: 128,
  signal: null,
  stdout: '',
  stderr: 'git@github.com: Permission denied (publickey).\r\n' +
    'fatal: Could not read from remote repository.\n' +
    '\n' +
    'Please make sure you have the correct access rights\n' +
    'and the repository exists.\n'
}
$ pacote resolve npm/cli
Error: failed '/usr/bin/git ls-remote git+ssh://git@github.com/npm/cli.git'
    at ChildProcess.<anonymous> (/Users/ilg/.nvm/versions/node/v12.13.0/lib/node_modules/pacote/lib/util/spawn.js:21:43)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Socket.<anonymous> (internal/child_process.js:430:11)
    at Socket.emit (events.js:210:5)
    at Pipe.<anonymous> (net.js:658:12) {
  cmd: '/usr/bin/git',
  args: [ 'ls-remote', 'git+ssh://git@github.com/npm/cli.git' ],
  code: 128,
  signal: null,
  stdout: '',
  stderr: 'git@github.com: Permission denied (publickey).\r\n' +
    'fatal: Could not read from remote repository.\n' +
    '\n' +
    'Please make sure you have the correct access rights\n' +
    'and the repository exists.\n'
}
$ pacote extract npm/cli ccc
Error: failed '/usr/bin/git ls-remote git+ssh://git@github.com/npm/cli.git'
    at ChildProcess.<anonymous> (/Users/ilg/.nvm/versions/node/v12.13.0/lib/node_modules/pacote/lib/util/spawn.js:21:43)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Socket.<anonymous> (internal/child_process.js:430:11)
    at Socket.emit (events.js:210:5)
    at Pipe.<anonymous> (net.js:658:12) {
  cmd: '/usr/bin/git',
  args: [ 'ls-remote', 'git+ssh://git@github.com/npm/cli.git' ],
  code: 128,
  signal: null,
  stdout: '',
  stderr: 'git@github.com: Permission denied (publickey).\r\n' +
    'fatal: Could not read from remote repository.\n' +
    '\n' +
    'Please make sure you have the correct access rights\n' +
    'and the repository exists.\n'
}

Access to the same repo with full URL seems ok for getting the manifest:

$ pacote manifest https://github.com/npm/cli
{
  version: '6.13.1',
  name: 'npm',
  description: 'a package manager for JavaScript',
  ...
  readmeFilename: 'README.md',
  gitHead: 'b829d62c98506325d2afb2d85d191a8ff1c49157',
  _id: 'npm@6.13.1',
  _integrity: null,
  _resolved: 'git+ssh://git@github.com/npm/cli.git#b829d62c98506325d2afb2d85d191a8ff1c49157',
  _from: 'github:npm/cli'
}

... but fails with the same error when trying to extract:

$ pacote extract https://github.com/npm/cli ccc
Error: failed '/usr/bin/git ls-remote git+ssh://git@github.com/npm/cli.git'
    at ChildProcess.<anonymous> (/Users/ilg/.nvm/versions/node/v12.13.0/lib/node_modules/pacote/lib/util/spawn.js:21:43)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Socket.<anonymous> (internal/child_process.js:430:11)
    at Socket.emit (events.js:210:5)
    at Pipe.<anonymous> (net.js:658:12) {
  cmd: '/usr/bin/git',
  args: [ 'ls-remote', 'git+ssh://git@github.com/npm/cli.git' ],
  code: 128,
  signal: null,
  stdout: '',
  stderr: 'git@github.com: Permission denied (publickey).\r\n' +
    'fatal: Could not read from remote repository.\n' +
    '\n' +
    'Please make sure you have the correct access rights\n' +
    'and the repository exists.\n'
}

I wouldn't be surprised to find out that GitHub changed something in their configurations, but anyway it would be good to clarify the issue.

Thank you,

Liviu
@ilg-ul
Copy link
Author

ilg-ul commented Nov 20, 2019
edited

To rule out a bad local configuration, I also tried on a separate Ubuntu VM and the result is the same, but git asked for credentials:

$ pacote resolve npm/cli
The authenticity of host 'github.com (140.82.118.4)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)? yes
{ Error: failed '/usr/bin/git ls-remote git+ssh://git@github.com/npm/cli.git'
...

@ilg-ul
Copy link
Author

ilg-ul commented Nov 20, 2019

I'm very curious why npm can install packages from GitHub. Is it because it is using an older pacote (^9.5.9)?

@ilg-ul
Copy link
Author

ilg-ul commented Nov 20, 2019

I confirm that after reverting to 9.5.9 I can access GitHub repos using org/name, as expected.

So it must be an issue with 10.x. The next question would be why the tests did not catch it...

@isaacs
Copy link
Contributor

isaacs commented Nov 27, 2019

The issue is that it's preferring git+ssh over git+https for all hosted repos.

Fix coming shortly :)

@isaacs isaacs closed this as completed in fc1053f Nov 27, 2019
@isaacs
Copy link
Contributor

isaacs commented Nov 27, 2019

I noticed this when my tests in npm/arborist were buzzing my phone for a 2FA authorization to use my SSH keys :)

SSH is better for private repos, since it's more straightforward for doing headless authentication with a key and doesn't require putting a basic auth in the url, but obviously not as good for public repos, which is the majority use case. Pacote 9 tries https, then falls back to ssh, which is what v10.1.6 does now as well.

@ilg-ul
Copy link
Author

ilg-ul commented Nov 28, 2019

Since I'm not familiar with the implementation details, can you confirm that the behaviour now is fully similar to that of 9.x?

I'm a bit concerned about 'Resolved url is still reported as the git+ssh url, for consistency.' Was it the same in 9.x?

@isaacs
Copy link
Contributor

isaacs commented Nov 28, 2019
edited

The resolved url always being saved as ssh is new. (In v9 it was less deterministic, varying if the original url was ssh or https.) But the fetch behavior is the same as v9 now, yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@isaacs @ilg-ul