Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yarn does not honor authentication settings in .npmrc #4451

Open
carlosduclos opened this issue Sep 14, 2017 · 62 comments

Comments

Projects
None yet
@carlosduclos
Copy link

commented Sep 14, 2017

Do you want to request a feature or report a bug?
BUG
What is the current behavior?
Yarn does not honor .npmrc
If the current behavior is a bug, please provide the steps to reproduce.
We require authentication for one of our repositories and we used to do this by specifying the authentication in .npmrc. This worked up to 0.28.4 but broke in 1.0.0

What is the expected behavior?
Honoring the authentication settings in .npmrc

Please mention your node.js, yarn and operating system version.
It happens after upgrading yarn to 1.0.0/1.0.1 (have tried both versions). Regardless of OS and nodejs version.

@BYK

This comment has been minimized.

Copy link
Member

commented Sep 14, 2017

This should be fixed in 1.0.2 which was released yesterday. Can you give it a spin?

@beardedtim

This comment has been minimized.

Copy link

commented Sep 14, 2017

@BYK I am experiencing the same issues as above and as mentioned at the end of #4157 . I tried running 1.0.2 and failed with 404. Running on 0.27.5 works as expected.

@KidkArolis

This comment has been minimized.

Copy link
Contributor

commented Sep 15, 2017

Could you paste your npmrc file here so we could try to reproduce (obviously edit out secrets or other private info)

@beardedtim

This comment has been minimized.

Copy link

commented Sep 15, 2017

@KidkArolis while trying to get my working dir as clean as possible, it somehow fixed the issue? 🙃

Steps I took:

  • Delete yarn.lock and any yarn-error.log files
  • Delete node_modules/
  • brew link yarn and yarn --version to ensure I was at 1.0.2
  • yarn

That seems to have worked. I am going to chalk this up as a user error on mine and my team's end.

@stieg

This comment has been minimized.

Copy link

commented Sep 15, 2017

@beardedtim What about if you now blow away node_modules but keep yarn.lock and then run yarn install? Does it all work then? This is in part what #4157 tracks but may be related to the larger issue at hand?

@kmoe

This comment has been minimized.

Copy link

commented Sep 18, 2017

I am experiencing this issue (404 on private scoped repo, whichever registry I use) for yarn versions 1.0.1, and 1.0.2. Version 0.27.5 worked after clearing some artifacts.

I have tried all the workarounds discussed in #4157. Happy to post logs if it will help.

@beardedtim

This comment has been minimized.

Copy link

commented Sep 18, 2017

@stieg I will try that later today when I get a free moment around lunch and post results. I believe I still got the 404 error but I've tried so many things at this point, who knows!

@solkaz

This comment has been minimized.

Copy link
Contributor

commented Sep 19, 2017

Has anyone found a solution to this?

@perlun

This comment has been minimized.

Copy link
Contributor

commented Sep 21, 2017

FWIW: I tried with:

  • Wiping my node_modules
  • Wiping ~/.yarn
  • curl -o- -L https://yarnpkg.com/install.sh | bash to reinstall yarn 1.0.2
  • yarn install - no errors, it installed everything flawlessly.

My ~/.yarnrc:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://registry.npmjs.org"
email some-email@acme.com
lastUpdateCheck 1505977814820
username some-user

And my ~/.npmrc:

//registry.npmjs.org/:_authToken=a-valid-uuid

The yarn.lock references look like this in my particular case:

  resolved "https://registry.npmjs.org/@acme/some-module/-/some-module-0.1.1.tgz#valid-git-sha"
@solkaz

This comment has been minimized.

Copy link
Contributor

commented Sep 21, 2017

Interesting. After putting the registry in my .yarnrc file, I was able to install my packages. However, I removed it to check if that was the culprit, and it still was successful (I deleted my cache so Yarn had to download it, and it managed to do so correctly).

@perlun

This comment has been minimized.

Copy link
Contributor

commented Sep 21, 2017

I tried on a fresh install (Debian this time, the other was macOS) and having these settings in ~/.npmrc and ~/.yarnrc worked equally well there. (Note: I did not try npm login or yarn login.)

@BYK

This comment has been minimized.

Copy link
Member

commented Sep 22, 2017

Closing as people reporting this was resolved. Reopen with concrete reproduction steps if it is not resolved for you @carlosduclos please.

@BYK BYK closed this Sep 22, 2017

@paraboom

This comment has been minimized.

Copy link

commented Sep 25, 2017

@BYK I had the same problem.
I used the clean install of the latest yarn version.
And it starts working after I added registry "https://registry.npmjs.org" to ~/.yarnrc.
I think it's a bug and it should be solved automatically, not manually, as we did.

@kmoe

This comment has been minimized.

Copy link

commented Sep 25, 2017

@BYK It may help to note that everyone who has "reported as resolved" has used the workaround of forcing yarn to use the https://registry.npmjs.org registry.

I think there is still a problem retrieving private packages from the https://registry.yarnpkg.com registry, however, and this is the default registry used by yarn (is it still just a reverse proxy? perhaps it's not honouring auth headers?).

Concrete reproduction steps

  1. Delete/move your .npmrc and .yarnrc files so yarn is using the default config.
  2. Locate a package published privately to the npm registry.
    1a. If you have downloaded/published it from the same machine you are testing yarn from, clear the npm and yarn caches.
  3. Run npm login or yarn login to populate the auth token.
  4. Using any yarn version after 0.27.5, try to install this package.
Expected results

Package installs successfully.

Actual results
❤ @up ➜  REPO git:(master) ★ yarn add @SCOPE/PACKAGE 
yarn add v1.1.0
info No lockfile found.
[1/5] Validating package.json...
[2/5] Resolving packages...
error An unexpected error occurred: "https://registry.npmjs.org/@SCOPE%2fPACKAGE: Not found".
info If you think this is a bug, please open a bug report with the information provided in "/home/katy/dev/REPO/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.
@awkaiser

This comment has been minimized.

Copy link

commented Sep 25, 2017

If project maintainers find @kmoe's instructions to be reproducible, this ticket should be reopened (at least for the sake of existing subscribers).

@perlun

This comment has been minimized.

Copy link
Contributor

commented Sep 26, 2017

I agree with @kmoe, the underlying issue is not fixed even in recent versions of yarn. Please reopen the issue. Yes, we have a workaround, but workaround != solution in this case.

@perlun

This comment has been minimized.

Copy link
Contributor

commented Oct 30, 2017

FWIW, this is still a problem in 1.1.0. I just verified it (came back here for the workaround, namely registry "https://registry.npmjs.org" being added to ~/.yarnrc)

@stewx

This comment has been minimized.

Copy link

commented Nov 22, 2017

I am having this problem in yarn 1.3.2 and it is breaking our builds right now. It worked fine on yarn 0.27.5.

We require an auth token from the .npmrc file to install packages from our Artifactory private registry.

Reproduction steps:

  1. Have an .npmrc file with authentication info in it like:
registry=https://artifactory.mycompany.com/artifactory/api/npm/npm-virtual
_auth = myAuthTokenHere
always-auth = true
email = me@mycompany.com
  1. Run yarn install
  2. Get HTTP 401 error when yarn is trying to install stuff from the private registry:
error An unexpected error occurred: "https://artifactory.mycompany.com/api/npm/npm-virtual/@angular/compiler/-/compiler-4.3.1.tgz: Request failed \"401 Unauthorized\"".
@stewx

This comment has been minimized.

Copy link

commented Nov 22, 2017

Related: #4672

@jamesone

This comment has been minimized.

Copy link

commented Jan 3, 2018

@stewx I'm also having the same problem on 1.3.2. Did you find a fix or a way around it?

@stewx

This comment has been minimized.

Copy link

commented Jan 4, 2018

@jamesone Nope, I downgraded to something like 0.27. It's a deal-breaker for our project.

@Bnaya

This comment has been minimized.

Copy link

commented Jan 4, 2018

@stewx @jamesone
Add registry "https://registry.npmjs.org" in your .yarnrc and reinstall the private packages
It will tell yarn to work directly with npmjs registry and it will solve the issue

@awkaiser

This comment has been minimized.

Copy link

commented Jan 4, 2018

It feels so wrong to version lock at 0.27.5 just to circumvent this one issue, but it seems like many are doing just that or redirecting registry config (although @stewx is reporting that does not solve for self-hosted private registries).

If frequent project contributors don't have time to fix this in the short term, would somebody be willing to suggest codebase location(s) where a fix is most likely to succeed, in the hopes that a community PR will be opened? 🤔

/cc @kittens @bestander @BYK @arcanis @rally25rs @kaylieEB

@TheLudd

This comment has been minimized.

Copy link

commented Jan 4, 2018

@Bnaya When you say reinstall, do you mean remove node_modules in your project or clear yarn cache?

@Bnaya

This comment has been minimized.

Copy link

commented Jan 4, 2018

yarn remove yourprivatepackage; yarn add yourprivatepackage

And in the lock file you will see https://registry.npmjs.org/*** url and not https://registry.yarnpkg ***

I would suggest adding the .yarnrc next to your package.json

@xuanyue202

This comment has been minimized.

Copy link

commented Jan 9, 2018

@KidkArolis Thanks for the PR. But I think the problem lies not only in the "--scope" case, but in a more general case where a private repo also mirrors public packages with auth.

@sanderpick

This comment has been minimized.

Copy link

commented Jan 16, 2018

By the way, @bytheway875, your trick of using https://registry.yarnpkg.com/ as the registry worked for me.

My situation:

  • Goal: install private packages with yarn from an org (@org-name) on npmjs.com using an authToken in local .npmrc file during a CI build (GitLab), so not logged into npm.
  • works with npm
  • no issues on dev machine (mac), i can npm login and yarn just works OR I can be logged out of npm but manually create a local / HOME dir .npmrc file with a single line: //registry.npmjs.org/:_authToken=token and yarn just works (that second method might be working cause of local cache, didn't try wiping that)
  • .yarnrc trick from above didn't work

The only way I can get this to work is by creating the below local .npmrc file before running yarn install in CI:

@org-name:registry=https://registry.yarnpkg.com/
always-auth=true
_authToken=token
@kmaikaze

This comment has been minimized.

Copy link

commented Jan 17, 2018

I had similar issue with .npmrc file. All I had to do is set encoding of .npmrc file to ANSI (in Windows you can use notepad.exe>Save As...).
You can test how yarn sees your .npmrc file content by using yarn config list

@ryanjaeb

This comment has been minimized.

Copy link

commented Jan 25, 2018

I can't get this to work with v1.4.1. I have a private Nexus repo and I use it as cache / proxy (like this). I can't seem to find definitive instructions, so it's possible I'm doing something wrong. I grabbed the yarn config syntax here and the yarn login syntax here.

Edit: I should have mentioned I've tried logging in via NPM first to get the needed .npmrc before trying with yarn.

Below is exactly what I'm doing to test.

Check Merge Commit (dc70576)

git tag --contains dc705768
v1.4.0
v1.4.1

Set Up

Create a Dockerfile to give a consistent, baseline environment for testing.

# Build
#  docker build -t yarn-private-registry-test .
# Run
#  docker run -it --rm yarn-private-registry-test

FROM debian:9.3-slim

WORKDIR /projects

RUN apt-get update \
  && apt-get --yes install curl gnupg \
  && curl -sL https://deb.nodesource.com/setup_8.x | bash - \
  && apt-get install --yes nodejs \
  && curl -OL https://github.com/yarnpkg/yarn/releases/download/v1.4.1/yarn_1.4.1_all.deb \
  && find . -name yarn*.deb -exec dpkg --install {} \; \
  && find . -name yarn*.deb -exec rm {} \;

Build Docker Image

docker build -t yarn-private-registry-test .

Test Yarn

Hint: Keep exiting and restarting the Docker container to get a clean environment.

No Config

Make sure the environment works by initialize a project and adding a dependency without making any config changes.

Run Docker Container

docker run -it --rm yarn-private-registry-test

Test

Add left-pad dependency.

mkdir yarn \
  && cd yarn \
  && yarn init --yes \
  && yarn add left-pad
yarn init v1.4.1
warning The yes flag has been set [...snip...]
success Saved package.json
Done in 0.03s.
yarn add v1.4.1
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
└─ left-pad@1.2.0
Done in 0.52s.

Private Registry Config

Run Docker Container

docker run -it --rm yarn-private-registry-test

Test

mkdir yarn \
  && cd yarn \
  && yarn init --yes \
  && yarn config set registry https://example.com/repository/npm-group/ \
  && yarn login
yarn init v1.4.1
warning The yes flag has been set [...snip...]
success Saved package.json
Done in 0.03s.
yarn config v1.4.1
success Set "registry" to "https://example.com/repository/npm-group/".
Done in 0.04s.
yarn login v1.4.1
question npm username: myusername
question npm email: me@example.com
Done in 6.25s.

Add left-pad dependency.

yarn --verbose add left-pad
yarn add v1.4.1
verbose 0.349 Checking for configuration file "/projects/yarn/.npmrc".
verbose 0.35 Checking for configuration file "/usr/local/share/.npmrc".
verbose 0.35 Checking for configuration file "/usr/etc/npmrc".
verbose 0.352 Checking for configuration file "/root/.npmrc".
verbose 0.353 Checking for configuration file "/projects/yarn/.npmrc".
verbose 0.353 Checking for configuration file "/projects/.npmrc".
verbose 0.355 Checking for configuration file "/projects/yarn/.yarnrc".
verbose 0.355 Checking for configuration file "/usr/local/share/.yarnrc".
verbose 0.357 Found configuration file "/usr/local/share/.yarnrc".
verbose 0.358 Checking for configuration file "/usr/etc/yarnrc".
verbose 0.358 Checking for configuration file "/root/.yarnrc".
verbose 0.359 Checking for configuration file "/projects/yarn/.yarnrc".
verbose 0.359 Checking for configuration file "/projects/.yarnrc".
verbose 0.365 current time: 2018-01-25T21:55:48.886Z
info No lockfile found.
verbose 0.405 Performing "GET" request to "https://yarnpkg.com/latest-version".
[1/4] Resolving packages...
verbose 0.48 Performing "GET" request to "https://example.com/repository/npm-group/left-pad".
verbose 0.52 Request "https://example.com/repository/npm-group/left-pad" finished with status code 401.
verbose 0.522 Error: Couldn't find package "left-pad" on the "npm" registry.
    at new MessageError (/usr/share/yarn/lib/cli.js:186:110)
    at NpmResolver.<anonymous> (/usr/share/yarn/lib/cli.js:50354:15)
    at Generator.next (<anonymous>)
    at step (/usr/share/yarn/lib/cli.js:98:30)
    at /usr/share/yarn/lib/cli.js:109:13
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:188:7)
error An unexpected error occurred: "Couldn't find package \"left-pad\" on the \"npm\" registry.".
info If you think this is a bug, please open a bug report with the information provided in "/projects/yarn/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.
verbose 0.809 Request "https://yarnpkg.com/latest-version" finished with status code 200.

Check .yarnrc

cat /usr/local/share/.yarnrc
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://example.com/repository/npm-group/"
email me@example.com
lastUpdateCheck 1516917349331
username myusername

Test NPM

Skip straight to the desired config because it works.

Private Registry Config

Run Docker Container

docker run -it --rm yarn-private-registry-test

Test

mkdir npm \
  && cd npm \
  && npm init --yes \
  && npm config set registry https://example.com/repository/npm-group/ \
  && npm login
Wrote to /projects/npm/package.json:

{
  "name": "npm",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


Username: myusername
Password:
Email: (this IS public) me@example.com
Logged in as myusername on https://example.com/repository/npm-group/.

Add left-pad dependency.

npm --verbose install left-pad
npm info it worked if it ends with ok
npm verb cli [ '/usr/bin/node',
npm verb cli   '/usr/bin/npm',
npm verb cli   '--verbose',
npm verb cli   'install',
npm verb cli   'left-pad' ]
npm info using npm@5.6.0
npm info using node@v8.9.4
npm verb npm-session 0ed36c84804378c8
npm http fetch GET 200 https://example.com/repository/npm-group/left-pad 78ms
npm http fetch GET 200 https://example.com/repository/npm-group/left-pad/-/left-pad-1.2.0.tgz 28ms
npm verb correctMkdir /root/.npm/_locks correctMkdir not in flight; initializing
npm verb makeDirectory /root/.npm/_locks creation not in flight; initializing
npm verb lock using /root/.npm/_locks/staging-2f9f45630e5bbb1a.lock for /projects/npm/node_modules/.staging
npm info lifecycle left-pad@1.2.0~preinstall: left-pad@1.2.0
npm info linkStuff left-pad@1.2.0
npm verb linkBins left-pad@1.2.0
npm verb linkMans left-pad@1.2.0
npm info lifecycle left-pad@1.2.0~install: left-pad@1.2.0
npm info lifecycle left-pad@1.2.0~postinstall: left-pad@1.2.0
npm verb unlock done using /root/.npm/_locks/staging-2f9f45630e5bbb1a.lock for /projects/npm/node_modules/.staging
npm verb saving [ { name: 'left-pad', spec: '^1.2.0', save: 'dependencies' } ]
npm info lifecycle undefined~preshrinkwrap: undefined
npm info lifecycle undefined~shrinkwrap: undefined
npm notice created a lockfile as package-lock.json. You should commit this file.
npm info lifecycle undefined~postshrinkwrap: undefined
npm WARN npm@1.0.0 No description
npm WARN npm@1.0.0 No repository field.

+ left-pad@1.2.0
added 1 package in 0.398s
npm verb exit [ 0, true ]
npm info
@KidkArolis

This comment has been minimized.

Copy link
Contributor

commented Feb 5, 2018

@ryanjaeb Thanks for the detailed report. The one thing I'm missing in order to tell you what might be going wrong here is the contents of ~/.npmrc and ~/.yarnrc files. You did paste your .yarnrc, but it doesn't contain password. Also without .npmrc file for comparison, it's hard to pin point the issue.

Your use case should work fine in ^1.4.0, but it's all about how the config file looks.

Tbh with you, I never use yarn login, I first npm login and then use yarn. In your above example, if you first do npm set config registry ... && npm login and then run add left-pad - does it work? If npm works, so should yarn. So I'm wondering if the yarn login command is what's broken.

@ryanjaeb

This comment has been minimized.

Copy link

commented Feb 6, 2018

@KidkArolis By ignoring yarn login and expecting to be able to get it working with only npm login, I was able to make some progress. I'm seeing two things.

.npmrc

The docs for npm-login don't seem to match what I'm actually seeing in .npmrc. Specifically, the --always-auth arg for the npm login command has no impact on the config, even though the docs say:

Can be used with --registry and / or --scope, e.g.
...
Registry-specific configuration of always-auth takes precedence over any global configuration.

However, regardless of whether or not I use that argument, I always end up with the same .npmrc. Both:

npm config set registry https://example.com/repository/npm-group/ \
  && npm login --registry=https://example.com/repository/npm-group/

and

npm config set registry https://example.com/repository/npm-group/ \
  && npm login --registry=https://example.com/repository/npm-group/ --always-auth

produce this .npmrc:

registry=https://example.com/repository/npm-group/
//example.com/repository/npm-group/:_authToken=NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Sniffing the traffic going to my registry shows that NPM sends the auth token regardless:

GET /repository/npm-group/left-pad HTTP/1.1
Host: example.com
user-agent: npm/5.6.0 node/v8.9.4 linux x64
npm-in-ci: false
npm-scope: 
npm-session: c4c14c0b37be7bd5
referer: install left-pad
pacote-req-type: packument
pacote-pkg-id: registry:manifest
accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*
authorization: Bearer NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
accept-encoding: gzip,deflate
X-Forwarded-Proto: https
X-Forwarded-For: 10.10.10.1
X-Forwarded-Host: example.com
X-Forwarded-Server: example.com
Connection: Keep-Alive

Yarn does not send the token unless always-auth is set. Explicitly setting the always-auth flag in .npmrc gets everything working as expected.

npm config set always-auth true \
    && cat ~/.npmrc
registry=https://example.com/repository/npm-group/
//example.com/repository/npm-group/:_authToken=NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
always-auth=true

Beyond knowing the behavior between NPM and Yarn differs, I'm not familiar enough with either to know which behavior is correct.

yarn login

I think you might be right about yarn login not working, but I haven't tested it extensively. Ignoring .npmrc and using only yarn, I try to mimic the NPM config.

yarn config set registry https://example.com/repository/npm-group/ \
    && yarn config set always-auth true \
    && yarn login

.yarnrc:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://example.com/repository/npm-group/"
always-auth true
email me@example.com
lastUpdateCheck 1517883362958
username myusername

No matter what I do, I'm never prompted to enter my password.

@alexindigo

This comment has been minimized.

Copy link

commented Feb 18, 2018

@KidkArolis For me npm works without explicit always-auth=true in .npmrc and yarn (1.3.2 or 1.4.0) doesn't. In my case I'm trying to point all requests to the virtual registry in artifactory. With always-auth=true and authToken in .npmrc – it works in 1.3.2, so not clear what was exactly fixed in 1.4.0.

@ezweave

This comment has been minimized.

Copy link

commented Mar 19, 2018

This still seems to be an issue, specifically hooking up to our Nexus repo.

I've tried several approaches:

  1. Deleting my ~/.yarnrc completely and relying only on what is in ~/.npmrc.
  2. Mucking about with registry settings in ~/.yarnrc.

It seems that yarn is not using the hashed _auth value (e.g. _auth=xyz) from ~/.npmrc

Version info

NPM

npm --version                                                                                                                                                                                                                                                                                                      
5.6.0

Yarn

yarn --version
1.5.1

Running on OS X 10.13.2.

NPMRC

My ~/.npmrc looks like this (some setting values omitted for obvious reasons):

registry=http://nexus-repo:8081/content/repositories/npm-all
init.author.name=Juan Smith
init.author.email=jsmith@somedomain.com
init.author.url=http://nexus-repo:8081/content/repositories/npm/
email=jsmith@somedomain.com
_auth=BASE64-HASH-USERNAME-PASSWORD
always-auth=true

YARNRC

My ~/.yarnrc looks like this (again obvious values omitted):

registry "http://nexus-repo:8081/content/repositories/npm-all//"
email jsmith@somedomain.com
lastUpdateCheck 1521495247797
username jsmith

¯_(ツ)_/¯

Not really sure where to go from here. It's not entirely clear what is going on, other than all yarn builds fail in the following fashion:

error An unexpected error occurred: "http://nexus-repo:8081/content/groups/npm-all/lru-cache/-/lru-cache-4.1.2.tgz: Request failed \"401 Unauthorized\"".

FWIW, IANADOE (I Am Not A Dev Ops Engineer) and am just trying to utilize a package that leans on yarn for electron builds. This could just be me not knowing how to set the base64 username|password hash for yarn. I have not been able to find docs explaining that.

@ryanjaeb

This comment has been minimized.

Copy link

commented Mar 20, 2018

@ezweave Sonatype has really good documentation. That link also has instructions for testing to make sure you're doing the base64 encoding correctly. Personally I find it easiest to enable the npm Bearer Token Realm in Nexus and to use npm login on my workstation. Ex:

npm config set registry http://nexus-repo:8081/content/repositories/npm-all
npm login --registry=http://nexus-repo:8081/content/repositories/npm-all --always-auth
npm config set always-auth true

Make sure it works with NPM before trying Yarn. I don't know if it matters, but you have two trailing slashes (//) on the .yarnrc registry.

@ezweave

This comment has been minimized.

Copy link

commented Mar 23, 2018

@ryanjaeb so, our devops team has Nexus locked down to only support the LDAP Realm. This might be the core of the problem, but there are many tools that rely on yarn that I cannot use because this seems to be unsupported. I've tried appending the _auth as a param in the appropriate syntax, et cetera. Nothing seems to work. (FWIW: the multiple slashes was a supposed fix for a related issue, I've done it with and without with no success.)

@adamscybot

This comment has been minimized.

Copy link

commented May 3, 2018

Can confirm that Yarn auth is broken with Nexus. yarn login doesn't prompt for a password but says it logged in successfully (it didn't -- no changes to rc file),

Publish does prompt for the password and does publish but it never reads from the __auth token wherever it is set to you have to login every time. And you also can't use yarn in a CI scenario.

@silentHoo

This comment has been minimized.

Copy link

commented May 30, 2018

yarn does not work within CI. Will this ever work?

@valscion

This comment has been minimized.

Copy link

commented Aug 1, 2018

This issue should have been fixed by #5216. That PR had a description containing this:

Fixes #4157, #4451, #4672, #4119.

and that caused GitHub to only close #4157 automatically when that PR was merged. The other issues should've probably been closed as well.

@KidkArolis

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2018

@valscion this might help further with these issues - #5322, but it slipped through the cracks..

@dballance

This comment has been minimized.

Copy link

commented Aug 3, 2018

Adding another datapoint - yarn 1.8.x+ fails on my build agent (VSTS). Reverting ONLY yarn to 1.7.x resolves the issue. It's looking at the correct registry, but not using the tokens that are injected into the .npmrc by the build agent. I do realize there are a lot of variables here, but figured it might be useful.

Running 1.9.x locally, where tokens are saved in my user .npmrc, works fine.

1.9.x Version

2018-08-03T21:17:04.9324575Z [command]C:\Windows\system32\cmd.exe /D /S /C "C:\Builds\_tool\yarn\1.9.4\x64\yarn-v1.9.4\bin\yarn.cmd build"
2018-08-03T21:17:05.4481355Z yarn run v1.9.4
2018-08-03T21:17:05.5418442Z $ lerna clean && lerna bootstrap
2018-08-03T21:17:08.3387809Z lerna info version 2.11.0
2018-08-03T21:17:08.3387809Z lerna info versioning independent
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4012821Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4012821Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4169058Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4325326Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4325326Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.7606628Z lerna success clean finished
2018-08-03T21:17:09.5145894Z lerna info version 2.11.0
2018-08-03T21:17:09.5145894Z lerna info versioning independent
2018-08-03T21:17:09.5419287Z lerna info Bootstrapping 9 packages
2018-08-03T21:17:09.5419287Z lerna info lifecycle preinstall
2018-08-03T21:17:09.5576221Z lerna info Installing external dependencies
2018-08-03T21:17:12.8857424Z lerna ERR! execute callback with error
2018-08-03T21:17:12.8857424Z lerna ERR! Error: Command failed: yarn install --mutex network:42424 --non-interactive
2018-08-03T21:17:12.8857424Z lerna ERR! warning package.json: No license field
2018-08-03T21:17:12.8857424Z lerna ERR! warning Waiting for the other yarn instance to finish (4048)
2018-08-03T21:17:12.8857424Z lerna ERR! warning Waiting for the other yarn instance to finish (6896)
2018-08-03T21:17:12.8857424Z lerna ERR! warning No license field
2018-08-03T21:17:12.8857424Z lerna ERR! error An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \"401 Unauthorized\"".
2018-08-03T21:17:12.8857424Z lerna ERR! [1/4] Resolving packages...
2018-08-03T21:17:12.8857424Z lerna ERR! [2/4] Fetching packages...
2018-08-03T21:17:12.8857424Z lerna ERR! info If you think this is a bug, please open a bug report with the information provided in "C:\\Builds\\6\\s\\packages\\<REMOVED>\\yarn-error.log".
2018-08-03T21:17:12.8857424Z lerna ERR! info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
2018-08-03T21:17:12.8857424Z lerna ERR! 
2018-08-03T21:17:12.8857424Z lerna ERR!     at Promise.all.then.arr (C:\Builds\6\s\node_modules\lerna\node_modules\execa\index.js:236:11)
2018-08-03T21:17:12.8857424Z lerna ERR!     at <anonymous>
2018-08-03T21:17:12.9482437Z lerna WARN complete Waiting for 1 child process to exit. CTRL-C to exit immediately.
2018-08-03T21:17:13.0732458Z { Error: Command failed: yarn install --mutex network:42424 --non-interactive
2018-08-03T21:17:13.0732458Z warning package.json: No license field
2018-08-03T21:17:13.0732458Z warning Waiting for the other yarn instance to finish (4048)
2018-08-03T21:17:13.0732458Z warning Waiting for the other yarn instance to finish (6896)
2018-08-03T21:17:13.0732458Z warning No license field
2018-08-03T21:17:13.0732458Z error An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \"401 Unauthorized\"".
2018-08-03T21:17:13.0732458Z [1/4] Resolving packages...
2018-08-03T21:17:13.0732458Z [2/4] Fetching packages...
2018-08-03T21:17:13.0732458Z info If you think this is a bug, please open a bug report with the information provided in "C:\\Builds\\6\\s\\packages\\<REMOVED>\\yarn-error.log".
2018-08-03T21:17:13.0732458Z info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
2018-08-03T21:17:13.0732458Z 
2018-08-03T21:17:13.0732458Z     at Promise.all.then.arr (C:\Builds\6\s\node_modules\lerna\node_modules\execa\index.js:236:11)
2018-08-03T21:17:13.0732458Z     at <anonymous>
2018-08-03T21:17:13.0732458Z     at process._tickCallback (internal/process/next_tick.js:188:7)
2018-08-03T21:17:13.0732458Z   code: 1,
2018-08-03T21:17:13.0732458Z   killed: false,
2018-08-03T21:17:13.0732458Z   stdout: '[1/4] Resolving packages...\n[2/4] Fetching packages...\ninfo If you think this is a bug, please open a bug report with the information provided in "C:\\\\Builds\\\\6\\\\s\\\\packages\\\\<REMOVED>\\\\yarn-error.log".\ninfo Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.\n',
2018-08-03T21:17:13.0732458Z   stderr: 'warning package.json: No license field\nwarning Waiting for the other yarn instance to finish (4048)\nwarning Waiting for the other yarn instance to finish (6896)\nwarning No license field\nerror An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \\"401 Unauthorized\\"".\n',
2018-08-03T21:17:13.0732458Z   failed: true,
2018-08-03T21:17:13.0732458Z   signal: null,
2018-08-03T21:17:13.0732458Z   cmd: 'yarn install --mutex network:42424 --non-interactive',
2018-08-03T21:17:13.0732458Z   timedOut: false,
2018-08-03T21:17:13.0732458Z   exitCode: 1 }
2018-08-03T21:17:13.0888721Z error Command failed with exit code 1.
2018-08-03T21:17:13.0888721Z info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

1.7.X Version

2018-08-03T21:33:16.4477199Z [command]C:\Windows\system32\cmd.exe /D /S /C "C:\Builds\_tool\yarn\1.7.0\x64\yarn-v1.7.0\bin\yarn.cmd build"
2018-08-03T21:33:16.9633413Z yarn run v1.7.0
2018-08-03T21:33:17.0727225Z $ lerna clean && lerna bootstrap
2018-08-03T21:33:19.2509802Z lerna info version 2.11.0
2018-08-03T21:33:19.2509802Z lerna info versioning independent
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2978554Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.6728520Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.8759839Z lerna success clean finished
2018-08-03T21:33:20.5947225Z lerna info version 2.11.0
2018-08-03T21:33:20.5947225Z lerna info versioning independent
2018-08-03T21:33:20.6103497Z lerna info Bootstrapping 9 packages
2018-08-03T21:33:20.6103497Z lerna info lifecycle preinstall
2018-08-03T21:33:20.6415982Z lerna info Installing external dependencies
2018-08-03T21:33:23.1103303Z lerna info Symlinking packages and binaries
2018-08-03T21:33:23.1415791Z lerna info lifecycle postinstall
2018-08-03T21:33:23.1415791Z lerna info lifecycle prepublish
2018-08-03T21:33:23.1415791Z lerna info lifecycle prepare
2018-08-03T21:33:23.1415791Z lerna success Bootstrapped 9 packages
2018-08-03T21:33:23.1572133Z $ ts-node ./build/index.ts
2018-08-03T21:33:58.5218101Z Done in 41.54s.
@arcanis

This comment has been minimized.

Copy link
Member

commented Aug 21, 2018

Hey folks, I have a request for the people following this issue and using a private registry.

We're considering dropping the registry hostname from the lockfile. This would make it easier to switch from a private registry to another, but the downside is that all the registries need to use similar URLs (since the hostname wouldn't be part of the URL, we would just merge it at runtime with the active configuration).

Could you please help us to confirm in #5892 that this workflow would work for your private registry provider (or tell us if it wouldn't)? That would help us get the level of confidence needed to make this change. Thanks!

@liuhelen10

This comment has been minimized.

Copy link

commented Sep 19, 2018

I'm experiencing issues with yarn publish not reading the auth token from my .npmrc as well. I'm running this on Ubuntu.

Versions

yarn - 1.9.4
npm - 5.5.1

~/.npmrc

Here's what my ~/.npmrc looks like (with token and registry obfuscated):

registry=http://myprivateregistry.net/
//myprivateregistry.net/:_authToken="myAuthToken"

Output

When I run yarn publish --noninteractive, I receive the following error:

yarn publish v1.9.4
[1/4] Bumping version...
info Current version: 2.1.3
[2/4] Logging in...
error No token found and can't prompt for login when running with --non-interactive.
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.

Debug steps

I've tried the following to no avail:

  • Copying ~/.npmrc to a local .npmrc in my project directory
  • Running yarn login with my credentials before running yarn publish

I've also verified that running npm publish makes it past the authentication step (it fails on the versioning step because it won't let me override the same version number. This is why I want to use yarn publish --non-interactive, because it allows for uploading, say, README changes with the same version number)

Is there something else I'm missing? Thanks!

@dudekaa

This comment has been minimized.

Copy link

commented Oct 19, 2018

@liuhelen10 Do yo have .yarnrc file inside your project? This worked for me with token stored inside ~/.npmrc

Example

$ cat .yarnrc 
registry "https://registry.npmjs.org/"
@cnotv

This comment has been minimized.

Copy link

commented May 17, 2019

always-auth = true in .npmrc did the trick, not receiving 401 anymore while using Yarn.
Which makes not sense but whatever :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.