Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yarn does not honor authentication settings in .npmrc #4451

Closed
carlosduclos opened this issue Sep 14, 2017 · 94 comments · May be fixed by #7604
Closed

yarn does not honor authentication settings in .npmrc #4451

carlosduclos opened this issue Sep 14, 2017 · 94 comments · May be fixed by #7604

Comments

@carlosduclos
Copy link

@carlosduclos carlosduclos commented Sep 14, 2017

Do you want to request a feature or report a bug?
BUG
What is the current behavior?
Yarn does not honor .npmrc
If the current behavior is a bug, please provide the steps to reproduce.
We require authentication for one of our repositories and we used to do this by specifying the authentication in .npmrc. This worked up to 0.28.4 but broke in 1.0.0

What is the expected behavior?
Honoring the authentication settings in .npmrc

Please mention your node.js, yarn and operating system version.
It happens after upgrading yarn to 1.0.0/1.0.1 (have tried both versions). Regardless of OS and nodejs version.

@BYK
Copy link
Member

@BYK BYK commented Sep 14, 2017

This should be fixed in 1.0.2 which was released yesterday. Can you give it a spin?

@beardedtim
Copy link

@beardedtim beardedtim commented Sep 14, 2017

@BYK I am experiencing the same issues as above and as mentioned at the end of #4157 . I tried running 1.0.2 and failed with 404. Running on 0.27.5 works as expected.

@KidkArolis
Copy link
Contributor

@KidkArolis KidkArolis commented Sep 15, 2017

Could you paste your npmrc file here so we could try to reproduce (obviously edit out secrets or other private info)

@beardedtim
Copy link

@beardedtim beardedtim commented Sep 15, 2017

@KidkArolis while trying to get my working dir as clean as possible, it somehow fixed the issue? 🙃

Steps I took:

  • Delete yarn.lock and any yarn-error.log files
  • Delete node_modules/
  • brew link yarn and yarn --version to ensure I was at 1.0.2
  • yarn

That seems to have worked. I am going to chalk this up as a user error on mine and my team's end.

@stieg
Copy link

@stieg stieg commented Sep 15, 2017

@beardedtim What about if you now blow away node_modules but keep yarn.lock and then run yarn install? Does it all work then? This is in part what #4157 tracks but may be related to the larger issue at hand?

@kmoe
Copy link

@kmoe kmoe commented Sep 18, 2017

I am experiencing this issue (404 on private scoped repo, whichever registry I use) for yarn versions 1.0.1, and 1.0.2. Version 0.27.5 worked after clearing some artifacts.

I have tried all the workarounds discussed in #4157. Happy to post logs if it will help.

@beardedtim
Copy link

@beardedtim beardedtim commented Sep 18, 2017

@stieg I will try that later today when I get a free moment around lunch and post results. I believe I still got the 404 error but I've tried so many things at this point, who knows!

@solkaz
Copy link
Contributor

@solkaz solkaz commented Sep 19, 2017

Has anyone found a solution to this?

@perlun
Copy link
Contributor

@perlun perlun commented Sep 21, 2017

FWIW: I tried with:

  • Wiping my node_modules
  • Wiping ~/.yarn
  • curl -o- -L https://yarnpkg.com/install.sh | bash to reinstall yarn 1.0.2
  • yarn install - no errors, it installed everything flawlessly.

My ~/.yarnrc:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://registry.npmjs.org"
email some-email@acme.com
lastUpdateCheck 1505977814820
username some-user

And my ~/.npmrc:

//registry.npmjs.org/:_authToken=a-valid-uuid

The yarn.lock references look like this in my particular case:

  resolved "https://registry.npmjs.org/@acme/some-module/-/some-module-0.1.1.tgz#valid-git-sha"

@solkaz
Copy link
Contributor

@solkaz solkaz commented Sep 21, 2017

Interesting. After putting the registry in my .yarnrc file, I was able to install my packages. However, I removed it to check if that was the culprit, and it still was successful (I deleted my cache so Yarn had to download it, and it managed to do so correctly).

@perlun
Copy link
Contributor

@perlun perlun commented Sep 21, 2017

I tried on a fresh install (Debian this time, the other was macOS) and having these settings in ~/.npmrc and ~/.yarnrc worked equally well there. (Note: I did not try npm login or yarn login.)

@BYK
Copy link
Member

@BYK BYK commented Sep 22, 2017

Closing as people reporting this was resolved. Reopen with concrete reproduction steps if it is not resolved for you @carlosduclos please.

@BYK BYK closed this Sep 22, 2017
@paraboom
Copy link

@paraboom paraboom commented Sep 25, 2017

@BYK I had the same problem.
I used the clean install of the latest yarn version.
And it starts working after I added registry "https://registry.npmjs.org" to ~/.yarnrc.
I think it's a bug and it should be solved automatically, not manually, as we did.

@kmoe
Copy link

@kmoe kmoe commented Sep 25, 2017

@BYK It may help to note that everyone who has "reported as resolved" has used the workaround of forcing yarn to use the https://registry.npmjs.org registry.

I think there is still a problem retrieving private packages from the https://registry.yarnpkg.com registry, however, and this is the default registry used by yarn (is it still just a reverse proxy? perhaps it's not honouring auth headers?).

Concrete reproduction steps

  1. Delete/move your .npmrc and .yarnrc files so yarn is using the default config.
  2. Locate a package published privately to the npm registry.
    1a. If you have downloaded/published it from the same machine you are testing yarn from, clear the npm and yarn caches.
  3. Run npm login or yarn login to populate the auth token.
  4. Using any yarn version after 0.27.5, try to install this package.
Expected results

Package installs successfully.

Actual results
❤ @up ➜  REPO git:(master) ★ yarn add @SCOPE/PACKAGE 
yarn add v1.1.0
info No lockfile found.
[1/5] Validating package.json...
[2/5] Resolving packages...
error An unexpected error occurred: "https://registry.npmjs.org/@SCOPE%2fPACKAGE: Not found".
info If you think this is a bug, please open a bug report with the information provided in "/home/katy/dev/REPO/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

@awkaiser
Copy link

@awkaiser awkaiser commented Sep 25, 2017

If project maintainers find @kmoe's instructions to be reproducible, this ticket should be reopened (at least for the sake of existing subscribers).

@perlun
Copy link
Contributor

@perlun perlun commented Sep 26, 2017

I agree with @kmoe, the underlying issue is not fixed even in recent versions of yarn. Please reopen the issue. Yes, we have a workaround, but workaround != solution in this case.

@perlun
Copy link
Contributor

@perlun perlun commented Oct 30, 2017

FWIW, this is still a problem in 1.1.0. I just verified it (came back here for the workaround, namely registry "https://registry.npmjs.org" being added to ~/.yarnrc)

@stewx
Copy link

@stewx stewx commented Nov 22, 2017

I am having this problem in yarn 1.3.2 and it is breaking our builds right now. It worked fine on yarn 0.27.5.

We require an auth token from the .npmrc file to install packages from our Artifactory private registry.

Reproduction steps:

  1. Have an .npmrc file with authentication info in it like:
registry=https://artifactory.mycompany.com/artifactory/api/npm/npm-virtual
_auth = myAuthTokenHere
always-auth = true
email = me@mycompany.com
  1. Run yarn install
  2. Get HTTP 401 error when yarn is trying to install stuff from the private registry:
error An unexpected error occurred: "https://artifactory.mycompany.com/api/npm/npm-virtual/@angular/compiler/-/compiler-4.3.1.tgz: Request failed \"401 Unauthorized\"".

@stewx
Copy link

@stewx stewx commented Nov 22, 2017

Related: #4672

@jamesone
Copy link

@jamesone jamesone commented Jan 3, 2018

@stewx I'm also having the same problem on 1.3.2. Did you find a fix or a way around it?

@stewx
Copy link

@stewx stewx commented Jan 4, 2018

@jamesone Nope, I downgraded to something like 0.27. It's a deal-breaker for our project.

@Bnaya
Copy link

@Bnaya Bnaya commented Jan 4, 2018

@stewx @jamesone
Add registry "https://registry.npmjs.org" in your .yarnrc and reinstall the private packages
It will tell yarn to work directly with npmjs registry and it will solve the issue

@awkaiser
Copy link

@awkaiser awkaiser commented Jan 4, 2018

It feels so wrong to version lock at 0.27.5 just to circumvent this one issue, but it seems like many are doing just that or redirecting registry config (although @stewx is reporting that does not solve for self-hosted private registries).

If frequent project contributors don't have time to fix this in the short term, would somebody be willing to suggest codebase location(s) where a fix is most likely to succeed, in the hopes that a community PR will be opened? 🤔

/cc @kittens @bestander @BYK @arcanis @rally25rs @kaylieEB

@TheLudd
Copy link

@TheLudd TheLudd commented Jan 4, 2018

@Bnaya When you say reinstall, do you mean remove node_modules in your project or clear yarn cache?

@Bnaya
Copy link

@Bnaya Bnaya commented Jan 4, 2018

yarn remove yourprivatepackage; yarn add yourprivatepackage

And in the lock file you will see https://registry.npmjs.org/*** url and not https://registry.yarnpkg ***

I would suggest adding the .yarnrc next to your package.json

@pete-hotchkiss
Copy link

@pete-hotchkiss pete-hotchkiss commented Dec 29, 2019

can confirm this is STILL an issue

Getting 401 errors when running yarn install

Request "https://npm.pkg.github.com/user/@scope/package" finished with status code 401.

where as npn install runs with zero issue

@TejasQ
Copy link

@TejasQ TejasQ commented Jan 3, 2020

I've spent the last 2 hours debugging this issue and thanks to my friend @AndreiCalazans, I have a workaround.

Sharing here for anyone who might be struggling with similar.

Use Case

I'm deploying a project that uses yarn workspaces to Heroku. Even if I drop the yarn.lock and use npm install, the project is built with workspaces and will not work at all without yarn.

The project relies on packages hosted on GitHub Packages and needs to authenticate against GitHub via a token.

The Problem

Heroku would see a yarn.lock and install dependencies with yarn, which would ignore a ~/.npmrc file that I create pre build.

Pre-build, I would run

echo "always-auth=true\n//npm.pkg.github.com/:_authToken=${GITHUB_NPM_TOKEN}\" >> ~/.npmrc",

This creates a file, ~/.npmrc, with this content:

always-auth=true
//npm.pkg.github.com/:_authToken=whatevermytokenis

yarn would flat out ignore this and fail when attempting to pull a dependency from GitHub package registry with 401 Unauthorized.

The Workaround

Andrei mentioned aliasing just the org to use the GitHub registry, and then adding the GitHub registry token under.

Essentially, changing the ~/.npmrc file slightly to add the following:

always-auth=true
+@MY_ORG:registry=https://npm.pkg.github.com/

//npm.pkg.github.com/:_authToken=whatevermytokenis

That solved everything and suddenly, yarn used the provided auth token for npm.pkg.github.com for any packages under @MY_ORG which was the GitHub org.

Whew! I hope this helps someone! 💞

@dgesteves
Copy link

@dgesteves dgesteves commented Jan 18, 2020

This is still an issue!! NPM install runs without problems, yarn add
error Couldn't find package "@diligentcorp/atlas-react" on the "npm" registry. info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

@Joe2337
Copy link

@Joe2337 Joe2337 commented Feb 11, 2020

On my windows machine, the problem was that the user folder with my user level .npmrc file was on a network drive. The local user folder on the machine did not have an .npmrc file, but yarn seems to look in this folder. Copying the .npmrc from the network drive to the local user folder fixed the problem (an authentication token was stored in the user level .npmrc).

I discovered that by accident after typing "cd ~" into my git bash and it switched to the remote home folder (which I never use).

@ndraiman
Copy link

@ndraiman ndraiman commented Mar 7, 2020

@TejasQ Workaround did not work for me.

I'm also using GitHub Packages.
Still getting 401 unauthorized even though it works perfectly well with npm

@sep2
Copy link

@sep2 sep2 commented Mar 7, 2020

I managed to make it work with yarn v1.22.0

.npmrc

always-auth=true
@fortawesome:registry=https://npm.fontawesome.com
//npm.fontawesome.com/:_authToken=xyz-xyz-xyz-xyz

.yarnrc

"@fortawesome:registry" "https://npm.fontawesome.com"

registry "https://some-regular-registry.org"

and then execute: yarn add @fortawesome/fontawesome-pro

@nialna
Copy link

@nialna nialna commented Mar 18, 2020

Happening to me too, I was hoping I could get it to work with only .npmrc, but it only works when adding .yarnrc, so we have to duplicate the config just for yarn.

@kalbert312
Copy link

@kalbert312 kalbert312 commented Apr 1, 2020

I think this is what I'm running into. It works when .npmrc is in the home directory, but not in the project directory (needed for jenkins/travis).
#8034

@cyrus-za
Copy link

@cyrus-za cyrus-za commented Apr 3, 2020

This solved it for me: #4451 (comment)

@4r7d3c0
Copy link

@4r7d3c0 4r7d3c0 commented Apr 8, 2020

Make sure you don't have /name after the registry when setting the scoped one:

- @4r7d3c0:registry=https://npm.pkg.github.com/4r7d3c0
+ @4r7d3c0:registry=https://npm.pkg.github.com

As per doc, registry=https://npm.pkg.github.com/OWNER, I overlooked that the owner doesn't need to be there when setting the scope. NPM could handle it, but yarn couldn't.

@alexk111
Copy link

@alexk111 alexk111 commented Jun 6, 2020

For those who use aliases check this workaround: #8130 (comment)

@dvdotsenko
Copy link

@dvdotsenko dvdotsenko commented Jul 5, 2020

Had to split user-level .npmrc and project-level .npmrc to make yarn respect GitHub package tokens. Moving named registry declarations from user-level to project-level was the key

Contents of ~/.npmrc

_auth=#####TOKEN_FOR_ARTIFACTORY#####
always-auth=true
registry=https://artifactory.mycompany.net/artifactory/api/npm/npm/
//npm.pkg.github.com/:_authToken=####GitHub_NPM_REGISTRY_TOKEN#####

Contents of ~/projects/blah/.npmrc

@mycompany:registry=https://npm.pkg.github.com

Until i moved the ^ named family package registry entry to project-level .npmrc, yarn install was giving me 401 (for GH-hosted packages under @mycompany). Now it does not.

For Docker build mount them separately:

base.Dockerfile:

# syntax=docker/dockerfile:1-experimental
## ^ need to enable --mount=type=secret support

ARG BASE_IMAGE
FROM ${BASE_IMAGE} as build

# note that only project-level .npmrc is copied
COPY package.json yarn.lock .npmrc ./

# ~/.npmrc with actual secrets is mounted as "secret" (does not stay in image)
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc,required \
    yarn install --production --frozen-lockfile ...

Docker build command:

DOCKER_BUILDKIT=1 docker build \
		--build-arg BASE_IMAGE=$(BASE_IMAGE) \
 		--secret id=npmrc,src="$(HOME)/.npmrc" \
		-t $(IMAGE_NAME):$(IMAGE_TAG) \
		-f base.Dockerfile .

(Note, that i did NOT need .yarnrc for this to work, but i am on yarn 1.17.3 so things may be different for other versions)

@viceice
Copy link
Contributor

@viceice viceice commented Aug 25, 2020

I've digged a little bit arround and it seems yarn uses the wrong auth credentials.

~/.npmrc

//npm-old.visualon.de/npm/vo-npm/:_password=XXXXXX
//npm-old.visualon.de/npm/vo-npm/:username=kriese
//npm-old.visualon.de/npm/vo-npm/:always-auth=true

//npm-new.visualon.de/:_authToken="XXXXXX"

package.json

{
  "name": "yarn-auth",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "tslib": "^2.0.1",
    "moment": "2.20.1"
  }
}

yarn.lock

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


moment@2.20.1:
  version "2.20.1"
  resolved "https://npm-old.visualon.de/npm/vo-npm/moment/-/moment-2.20.1.tgz#d6eb1a46cbcc14a2b2f9434112c1ff8907f313fd"
  integrity sha1-1usaRsvMFKKy+UNBEsH/iQfzE/0=

tslib@^2.0.1:
  version "2.0.1"
  resolved "https://npm-new.visualon.de/tslib/-/tslib-2.0.1.tgz#410eb0d113e5b6356490eec749603725b021b43e"
  integrity sha512-SgIkNheinmEBgx1IUNirK0TUD4X9yjjBRTqqjggWCU3pUEqIk3/Uwl3yRixYKT6WjQuGiwDv4NomL3wqRCj+CQ==

While trying to install yarn sends the bearer token from npm-new.visualon.de to npm-old.visualon.de. So it semms yarn only compares the base domain.

@msolovyov
Copy link

@msolovyov msolovyov commented Oct 15, 2020

If anyone still faces it, this is what worked for me.

.npmrc:
always-auth=true
@orgaccount:registry=https://npm.pkg.github.com
registry=https://registry.yarnpkg.com

https://npm.pkg.github.com/:_authToken=yyyyjjjjj3333888etc

@BenteleFlorian
Copy link

@BenteleFlorian BenteleFlorian commented Nov 13, 2020

Not sure if anyone faces a similar problem, but maybe this will help someone save a bit of time:

I am using Azure Artifacts as a private registry and had set up the PAT and .npmrc files as documented there.
Nevertheless, I was running into the same issue that npm install was working perfectly, but yarn install runs into the 401 Error all the time.
After a bit of try and error It turned out the I had a special character in my Registry URL (...@Local/...) but Azure Artifacts resolves this to the Unicode representation within their setup guide. npm handles this just fine, yarn not so much. Setting the actual @ character in the URL, solved my problem.

@Yuri6037
Copy link

@Yuri6037 Yuri6037 commented Dec 15, 2020

Yarn is really a weird tool: Found another bug with the same kind of issues. I think I know why is yarn so bugged with custom package registries.

I successfully got yarn to download and install properly any private package from a gitlab private registry. To do it you need to specify absolutely ALL redirections with the same token! Yarn is unable to infer the token based on the base address. It infers tokens based on the FULL address - the package name.

Example:

Won't work cause when downloading package the client is redirected to //gitlab.xxxx.yyy/api/v4/projects/z/packages/npm/ but here is the problem the other address is not exactly matched in the rc file

always-auth=true
//gitlab.xxxx.yyy/api/v4/packages/npm/:_authToken=whatever

@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm/

Will work; now all addresses are explicitely using the same token

always-auth=true
//gitlab.xxxx.yyy/api/v4/packages/npm/:_authToken=whatever
//gitlab.xxxx.yyy/api/v4/projects/z/packages/npm/:_authToken=whatever

@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm/

@viceice
Copy link
Contributor

@viceice viceice commented Dec 16, 2020

I've seen this too, yarn only supports one auth per domain 😕

@royi-frontegg
Copy link

@royi-frontegg royi-frontegg commented Jan 3, 2021

This is still an issue...
everything worked up great for me in bitbucket pipelines. Then one day the pipeline broke and we're stuck

@arcanis
Copy link
Member

@arcanis arcanis commented Jan 3, 2021

This behavior won't be changed in the 1.x line. Starting from 2.x, Yarn now exclusively reads from the .yarnrc.yml file, never from .npmrc. It also supports different tokens for different urls.

https://yarnpkg.com/getting-started/migration

@uvirk
Copy link

@uvirk uvirk commented Jan 3, 2021

@arcanis I appreciate you closing this - but I have a similar error when using Yarn 2 and .yarnrc.yml with a private Azure Artifacts repo.

If you set

yarnPath: ".yarn/releases/yarn-berry.cjs"
npmScopes:
      <companyname>:
        npmPublishRegistry: https://pkgs.dev.azure.com/<companyname>/_packaging/<companyname>/npm/registry/
        npmRegistryServer: https://pkgs.dev.azure.com/<companyname>/_packaging/<companyname>/npm/registry/
        npmAlwaysAuth: true
        npmAuthIdent: 'base64(<companyname>:<auth-token-taken-from-user-npmrc-file>)'
nodeLinker: node-modules

I continue to receive this error:

➤ YN0001: │ HTTPError: @:@npm:1.3.0: Response code 405 (Method Not Allowed)
at se. (C:\Source\Repos<companyname>\web.yarn\releases\yarn-berry.cjs:23:10082)
at runMicrotasks ()
at processTicksAndRejections (internal/process/task_queues.js:94:5)

Do you have any ideas associated?

I have followed the steps highlighted in yarnpkg/berry#316 to no avail.

@uvirk
Copy link

@uvirk uvirk commented Jan 15, 2021

@arcanis any update on this error? Your help is greatly appreciated!

@merceyz
Copy link
Member

@merceyz merceyz commented Jan 15, 2021

Try commenting on the V2 issue so that people using Azure Artifacts there can help

@mscottx88
Copy link

@mscottx88 mscottx88 commented Apr 9, 2021

@BenteleFlorian your suggestion was the answer here. Those ADO setup tips still encode @ as %40. If you see %40 in your URL, change it to @ and yarn install worked for us with just .npmrc file.

Before

https://pkgs.dev.azure.com/foo/_packaging/bar%40Local/npm/registry/

After

https://pkgs.dev.azure.com/foo/_packaging/bar@Local/npm/registry/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.