Support for private packages #521

Closed
jamiebuilds opened this Issue Oct 6, 2016 · 69 comments

Comments

Projects
None yet
@jamiebuilds
Member

jamiebuilds commented Oct 6, 2016

In order to allow installing private packages Yarn will need to send a token to the headers of the request.

Private packages are @scoped/packages that were published with npm publish --access=restricted. The permissions of packages are managed through npm access and npm team which are not yet added

In the npm client, this token comes from the .npmrc and looks like this:

@nameofscope:registry=https://registry.npmjs.com/
//registry.npmjs.com/:_authToken=abc123

And it gets sent as this header:

Authorization: Bearer abc123
# alternatively:
Authorization: Basic username:password # <= base64

There's a package for retrieving the token. Although we may not want to store the token the same way npm does.

This token gets added to .npmrc on npm login. But yarn login doesn't even authenticate (it only stores username and email), so we may want to force the user to authenticate on install (in which case we need to solve scripting these installs for CI servers through some kind of environment variable).

We also need to make sure that Yarn users don't accidentally publish something publicly.

@jamiebuilds jamiebuilds changed the title from Support for private packages on public registry to Support for private packages Oct 6, 2016

@kittens

This comment has been minimized.

Show comment
Hide comment
@kittens

kittens Oct 6, 2016

Member

We already have npm login and auth logic here. Just need to sort out the workflow.

Member

kittens commented Oct 6, 2016

We already have npm login and auth logic here. Just need to sort out the workflow.

@cpojer cpojer added this to the 1.0.0 - Open source milestone Oct 6, 2016

@cpojer cpojer removed this from the Open Source milestone Oct 11, 2016

@chicoxyzzy

This comment has been minimized.

Show comment
Hide comment
@chicoxyzzy

chicoxyzzy Oct 11, 2016

Contributor

Private registry doesn't always need auth token. For example we access our private registry through corporate VPN.

Contributor

chicoxyzzy commented Oct 11, 2016

Private registry doesn't always need auth token. For example we access our private registry through corporate VPN.

@knksmith57

This comment has been minimized.

Show comment
Hide comment
@knksmith57

knksmith57 Oct 11, 2016

^^ Agreed. Allowing for the association of a separate registry per scope is sufficient for us (and I suspect many others).

knksmith57 commented Oct 11, 2016

^^ Agreed. Allowing for the association of a separate registry per scope is sufficient for us (and I suspect many others).

@jmonster

This comment has been minimized.

Show comment
Hide comment
@jmonster

jmonster Oct 12, 2016

in which case we need to solve scripting these installs for CI servers through some kind of environment variable

in which case we need to solve scripting these installs for CI servers through some kind of environment variable

@djMax

This comment has been minimized.

Show comment
Hide comment
@djMax

djMax Oct 13, 2016

When we say "we already have this logic" - I don't see any path where an Authorization header would be sent to a registry. If there was one, perhaps there'd be a temporary workaround to make this all work while something more final is sorted out. Am I missing something?

djMax commented Oct 13, 2016

When we say "we already have this logic" - I don't see any path where an Authorization header would be sent to a registry. If there was one, perhaps there'd be a temporary workaround to make this all work while something more final is sorted out. Am I missing something?

@djforth

This comment has been minimized.

Show comment
Hide comment
@djforth

djforth Oct 13, 2016

+1 looks like scoped packages even if they are public seem to fail.

djforth commented Oct 13, 2016

+1 looks like scoped packages even if they are public seem to fail.

@frederickfogerty

This comment has been minimized.

Show comment
Hide comment
@frederickfogerty

frederickfogerty Oct 16, 2016

To further @djforth's comment, I just installed from master, and I'm getting the same error - scoped packages are failing. It converts the / in the package name into %2f, which means the request to npm to find the package fails.

e.g. Error: https://registry.yarnpkg.com/@company%2fdata: Not found

To further @djforth's comment, I just installed from master, and I'm getting the same error - scoped packages are failing. It converts the / in the package name into %2f, which means the request to npm to find the package fails.

e.g. Error: https://registry.yarnpkg.com/@company%2fdata: Not found

@djMax

This comment has been minimized.

Show comment
Hide comment
@djMax

djMax Oct 16, 2016

That's the way it fails if auth is required. I got it to work for public scoped packages

djMax commented Oct 16, 2016

That's the way it fails if auth is required. I got it to work for public scoped packages

devongovett added a commit to devongovett/yarn that referenced this issue Oct 17, 2016

Support auth for private npm packages
Sends the auth token for scoped packages, which may be private. Fixes #1134 and #521.
@devongovett

This comment has been minimized.

Show comment
Hide comment
@devongovett

devongovett Oct 17, 2016

Contributor

Should be fixed by #839 and #1146.

Contributor

devongovett commented Oct 17, 2016

Should be fixed by #839 and #1146.

devongovett added a commit to devongovett/yarn that referenced this issue Oct 17, 2016

Support auth for private npm packages
Sends the auth token for scoped packages, which may be private. Fixes #1134 and #521.

cpojer added a commit that referenced this issue Oct 17, 2016

Support auth for private npm packages (#1146)
Sends the auth token for scoped packages, which may be private. Fixes #1134 and #521.
@vjpr

This comment has been minimized.

Show comment
Hide comment
@vjpr

vjpr Oct 18, 2016

@devongovett I ran into a few issues:


This is the check for whether auth should be used:

    if (this.token || (alwaysAuth && requestUrl.startsWith(registry))) {
      headers.authorization = this.getAuth(pathname);
    }

If registry is http://registry.npmjs.org/ then an https request will fail to have auth attached because of requestUrl.startsWith(registry).


I had yarn config get registry set to registry.yarnpkg.org and that was being used when trying to get my private module, instead of using @my-org:registry': 'https://registry.npmjs.org/',.


So the fix for me was:

//if (this.token || (alwaysAuth && requestUrl.startsWith(registry))) {
if (this.token || (alwaysAuth)) {

I was also getting an initial call to the NpmRegistry#request to @my-org%2fmodule.

vjpr commented Oct 18, 2016

@devongovett I ran into a few issues:


This is the check for whether auth should be used:

    if (this.token || (alwaysAuth && requestUrl.startsWith(registry))) {
      headers.authorization = this.getAuth(pathname);
    }

If registry is http://registry.npmjs.org/ then an https request will fail to have auth attached because of requestUrl.startsWith(registry).


I had yarn config get registry set to registry.yarnpkg.org and that was being used when trying to get my private module, instead of using @my-org:registry': 'https://registry.npmjs.org/',.


So the fix for me was:

//if (this.token || (alwaysAuth && requestUrl.startsWith(registry))) {
if (this.token || (alwaysAuth)) {

I was also getting an initial call to the NpmRegistry#request to @my-org%2fmodule.

@devongovett

This comment has been minimized.

Show comment
Hide comment
@devongovett

devongovett Oct 18, 2016

Contributor

Yes, currently it replaces https://registry.npmjs.com/ with https://registry.yarnpkg.com/ here, which confuses the check here.

Contributor

devongovett commented Oct 18, 2016

Yes, currently it replaces https://registry.npmjs.com/ with https://registry.yarnpkg.com/ here, which confuses the check here.

@vjpr

This comment has been minimized.

Show comment
Hide comment
@vjpr

vjpr Oct 20, 2016

EDIT: Ignore this post - it just started working for some reason.

I had to make sure to login to the scope on npm, using npm adduser --registry=http://registry.npmjs.org --scope=@foo --always-auth.


When I run:

npm3 adduser --registry=http://registry.npmjs.org --scope=@foo --always-auth

My npm looks like this:

_auth="xxx"
email=foo@gmail.com
strict-ssl=false
//registry.npmjs.org/:_authToken=xxx
registry=http://registry.npmjs.org/
@foo:registry=http://registry.npmjs.org/
save=false
save-exact=false
save-prefix=^
always-auth=true

NpmRegistry#getAuth looks like this:

  getAuth(packageName: string): string {

    if (this.token) {
      return this.token;
    }

    for (let registry of [this.getRegistry(packageName), '', DEFAULT_REGISTRY]) {
      registry = registry.replace(/^https?:/, '');

      // Check for bearer token.
      console.log({registry})
      let auth = this.getScopedOption(registry, '_authToken');
      if (auth) {
        return `Bearer ${String(auth)}`;
      }

      // Check for basic auth token.
      auth = this.getScopedOption(registry, '_auth');
      if (auth) {
        return `Basic ${String(auth)}`;
      }

      // Check for basic username/password auth.
      const username = this.getScopedOption(registry, 'username');
      const password = this.getScopedOption(registry, '_password');
      if (username && password) {
        const pw = new Buffer(String(password), 'base64').toString();
        return 'Basic ' + new Buffer(String(username) + ':' + pw).toString('base64');
      }
    }

    return '';
  }

It ends up using the authorization header Basic xxx. It is using the _auth key.

vjpr commented Oct 20, 2016

EDIT: Ignore this post - it just started working for some reason.

I had to make sure to login to the scope on npm, using npm adduser --registry=http://registry.npmjs.org --scope=@foo --always-auth.


When I run:

npm3 adduser --registry=http://registry.npmjs.org --scope=@foo --always-auth

My npm looks like this:

_auth="xxx"
email=foo@gmail.com
strict-ssl=false
//registry.npmjs.org/:_authToken=xxx
registry=http://registry.npmjs.org/
@foo:registry=http://registry.npmjs.org/
save=false
save-exact=false
save-prefix=^
always-auth=true

NpmRegistry#getAuth looks like this:

  getAuth(packageName: string): string {

    if (this.token) {
      return this.token;
    }

    for (let registry of [this.getRegistry(packageName), '', DEFAULT_REGISTRY]) {
      registry = registry.replace(/^https?:/, '');

      // Check for bearer token.
      console.log({registry})
      let auth = this.getScopedOption(registry, '_authToken');
      if (auth) {
        return `Bearer ${String(auth)}`;
      }

      // Check for basic auth token.
      auth = this.getScopedOption(registry, '_auth');
      if (auth) {
        return `Basic ${String(auth)}`;
      }

      // Check for basic username/password auth.
      const username = this.getScopedOption(registry, 'username');
      const password = this.getScopedOption(registry, '_password');
      if (username && password) {
        const pw = new Buffer(String(password), 'base64').toString();
        return 'Basic ' + new Buffer(String(username) + ':' + pw).toString('base64');
      }
    }

    return '';
  }

It ends up using the authorization header Basic xxx. It is using the _auth key.

@ikosenn

This comment has been minimized.

Show comment
Hide comment
@ikosenn

ikosenn Oct 23, 2016

Hey,
Has anyone managed to publish to a private npm registry created with Sinopia. I am able to do so with npm publish but yarn publish takes forever on the publishing step. I have changed the registry with yarn config set registry. Something else I noted I am not prompted for my password in the login step

ikosenn commented Oct 23, 2016

Hey,
Has anyone managed to publish to a private npm registry created with Sinopia. I am able to do so with npm publish but yarn publish takes forever on the publishing step. I have changed the registry with yarn config set registry. Something else I noted I am not prompted for my password in the login step

@Tapppi

This comment has been minimized.

Show comment
Hide comment
@Tapppi

Tapppi Oct 24, 2016

Is a fix on the way for private packages? The problem @devongovett described above just bit me in CI. My current workaround is to yarn config set registry https://registry.npmjs.org/ so that yarn sets the auth token on requests for private packages.

Tapppi commented Oct 24, 2016

Is a fix on the way for private packages? The problem @devongovett described above just bit me in CI. My current workaround is to yarn config set registry https://registry.npmjs.org/ so that yarn sets the auth token on requests for private packages.

@rovansteen

This comment has been minimized.

Show comment
Hide comment
@rovansteen

rovansteen Oct 25, 2016

I'm also running in the issue that yarn login doesn't ask for a password, therefore I am not able to use Gemfury (https://gemfury.com). I am not sure if it's related to this issue though. Should I create a separate issue for this?

I'm also running in the issue that yarn login doesn't ask for a password, therefore I am not able to use Gemfury (https://gemfury.com). I am not sure if it's related to this issue though. Should I create a separate issue for this?

@jmonster

This comment has been minimized.

Show comment
Hide comment
@jmonster

jmonster Oct 25, 2016

Another use case I haven't seen mentioned:

git repositories can be fetched via https or ssh. If the repo is private, you need credentials (duh). When deploying to Heroku, .netrc is the optimal way to authenticate using the .netrc buildpack

Another use case I haven't seen mentioned:

git repositories can be fetched via https or ssh. If the repo is private, you need credentials (duh). When deploying to Heroku, .netrc is the optimal way to authenticate using the .netrc buildpack

@jamiebuilds

This comment has been minimized.

Show comment
Hide comment
@jamiebuilds

jamiebuilds Oct 25, 2016

Member

@rovansteen yarn login intentionally does not ask for a password. We do not want to store credentials or api tokens because that's a bad security practice

Member

jamiebuilds commented Oct 25, 2016

@rovansteen yarn login intentionally does not ask for a password. We do not want to store credentials or api tokens because that's a bad security practice

@rovansteen

This comment has been minimized.

Show comment
Hide comment
@rovansteen

rovansteen Oct 26, 2016

@thejameskyle ah, that makes sense. I noticed Gemfury also has a way to use an API token and that works fine with Yarn. Thanks!

@thejameskyle ah, that makes sense. I noticed Gemfury also has a way to use an API token and that works fine with Yarn. Thanks!

@dfreeman

This comment has been minimized.

Show comment
Hide comment
@dfreeman

dfreeman Oct 28, 2016

We're having issues fetching the actual tarballs from our private scope-associated registry. The metadata is coming in fine, but it looks like the authorization header isn't being included in the request for the tarball.

This line in NpmRegistry#request seems to be the culprit—it calls getRegistry with the path of the tarball, when it seems to be expecting a package name instead. Because of that, it's not able to discover the scope and it falls back to the settings for the default registry.

I could imagine extending getScope to attempt to determine the scope from the URL (and I'd be happy to open a PR doing so), but that seems potentially error-prone. Maybe the associated package name needs to be plumbed through?

(Edit: Looks like this also came up in #1619 (comment))

dfreeman commented Oct 28, 2016

We're having issues fetching the actual tarballs from our private scope-associated registry. The metadata is coming in fine, but it looks like the authorization header isn't being included in the request for the tarball.

This line in NpmRegistry#request seems to be the culprit—it calls getRegistry with the path of the tarball, when it seems to be expecting a package name instead. Because of that, it's not able to discover the scope and it falls back to the settings for the default registry.

I could imagine extending getScope to attempt to determine the scope from the URL (and I'd be happy to open a PR doing so), but that seems potentially error-prone. Maybe the associated package name needs to be plumbed through?

(Edit: Looks like this also came up in #1619 (comment))

@gerges

This comment has been minimized.

Show comment
Hide comment
@gerges

gerges Nov 1, 2016

I'm seeing the same issue as @dfreeman, the scope is recognized and the registry is queried. The correct tarball url and hash are retrieved, but the download doesn't contain the correct Authorization headers resulting in a download with no response body. Yarn then bails out with a hash mismatch. The error always complains with a but got da39a3ee5e6b4b0d3255bfef95601890afd80709 which is the sha of an empty file.

> touch empty
> openssl sha1 empty
SHA1(empty)= da39a3ee5e6b4b0d3255bfef95601890afd80709

EDIT: Let me know if this should be raised as a new issue

gerges commented Nov 1, 2016

I'm seeing the same issue as @dfreeman, the scope is recognized and the registry is queried. The correct tarball url and hash are retrieved, but the download doesn't contain the correct Authorization headers resulting in a download with no response body. Yarn then bails out with a hash mismatch. The error always complains with a but got da39a3ee5e6b4b0d3255bfef95601890afd80709 which is the sha of an empty file.

> touch empty
> openssl sha1 empty
SHA1(empty)= da39a3ee5e6b4b0d3255bfef95601890afd80709

EDIT: Let me know if this should be raised as a new issue

@maybeec

This comment has been minimized.

Show comment
Hide comment
@maybeec

maybeec Nov 3, 2016

Basically, I got yarn somehow authenticating against jfrog. However, publishing seems to be broken.
It is just getting stuck and I am not sure how to proceed as there is no verbose log or anything else. I could not even see any network traffic caused by an upload.

$ yarn publish --access restricted --new-version 2.0.2+1478176271464 .
yarn publish v0.16.1
[1/4] Bumping version...
info Current version: 2.0.2+SNAPSHOT
info New version: 2.0.2+1478176271464
[2/4] Logging in...
[3/4] Publishing...

maybeec commented Nov 3, 2016

Basically, I got yarn somehow authenticating against jfrog. However, publishing seems to be broken.
It is just getting stuck and I am not sure how to proceed as there is no verbose log or anything else. I could not even see any network traffic caused by an upload.

$ yarn publish --access restricted --new-version 2.0.2+1478176271464 .
yarn publish v0.16.1
[1/4] Bumping version...
info Current version: 2.0.2+SNAPSHOT
info New version: 2.0.2+1478176271464
[2/4] Logging in...
[3/4] Publishing...
@jamiebuilds

This comment has been minimized.

Show comment
Hide comment
@jamiebuilds

jamiebuilds Nov 7, 2016

Member

Please use upvotes rather than commenting.

Member

jamiebuilds commented Nov 7, 2016

Please use upvotes rather than commenting.

@hereandnow

This comment has been minimized.

Show comment
Hide comment
@hereandnow

hereandnow Jan 26, 2017

i know we should upvote and not comment, but the last comment is almost 2 months old and i'm kind of unsure if there is anything we could help with?!

i know we should upvote and not comment, but the last comment is almost 2 months old and i'm kind of unsure if there is anything we could help with?!

@excenter

This comment has been minimized.

Show comment
Hide comment
@excenter

excenter Jan 27, 2017

having a .yarnrc file at the root of your user folder (on mac) containing

registry "https://npm.some-internal-site.tld"

I was able to download some internal packages. The big caveat being it's access controlled by the site rather than username/password.
hope this helps.

having a .yarnrc file at the root of your user folder (on mac) containing

registry "https://npm.some-internal-site.tld"

I was able to download some internal packages. The big caveat being it's access controlled by the site rather than username/password.
hope this helps.

@shakefu

This comment has been minimized.

Show comment
Hide comment
@shakefu

shakefu Jan 27, 2017

Pretty sure this is working ... ? I've been using yarn with privately scoped packages for couple months.

@thejameskyle - Are you still having trouble with private scoped packages?

shakefu commented Jan 27, 2017

Pretty sure this is working ... ? I've been using yarn with privately scoped packages for couple months.

@thejameskyle - Are you still having trouble with private scoped packages?

@SEAPUNK

This comment has been minimized.

Show comment
Hide comment
@SEAPUNK

SEAPUNK Jan 27, 2017

@shakefu The only problem I have with private packages at this point is me needing to add a registry=https://registry.npmjs.org/ to the top of my .npmrc file, because npm login just adds the line with the token, but nothing else.

SEAPUNK commented Jan 27, 2017

@shakefu The only problem I have with private packages at this point is me needing to add a registry=https://registry.npmjs.org/ to the top of my .npmrc file, because npm login just adds the line with the token, but nothing else.

@StephanBijzitter

This comment has been minimized.

Show comment
Hide comment
@StephanBijzitter

StephanBijzitter Mar 14, 2017

Logging out and in is definitely not an option for us, as that would invalidate all existing tokens.

Logging out and in is definitely not an option for us, as that would invalidate all existing tokens.

@shakefu

This comment has been minimized.

Show comment
Hide comment
@shakefu

shakefu Mar 14, 2017

@StephanBijzitter I don't think you need to log out or in again, removing the *rc files should allow you to get new tokens while logging in without invalidating old ones. Not sure if that will work for you, though.

shakefu commented Mar 14, 2017

@StephanBijzitter I don't think you need to log out or in again, removing the *rc files should allow you to get new tokens while logging in without invalidating old ones. Not sure if that will work for you, though.

@StephanBijzitter

This comment has been minimized.

Show comment
Hide comment
@StephanBijzitter

StephanBijzitter Mar 14, 2017

Yeah, I confirm that generating (or storing, whatever you prefer) an .npmrc file works with Yarn for private, scoped packages.

Yeah, I confirm that generating (or storing, whatever you prefer) an .npmrc file works with Yarn for private, scoped packages.

@maximgeerinck

This comment has been minimized.

Show comment
Hide comment
@maximgeerinck

maximgeerinck Apr 5, 2017

@myprivaterepo:registry=https://npm.myprivaterepo/
//npm.myprivaterepo/:_authToken=$NPM_TOKEN

Doesn't seem to pick up the .npmrc as i get a forbidden error when it access this private package

maximgeerinck commented Apr 5, 2017

@myprivaterepo:registry=https://npm.myprivaterepo/
//npm.myprivaterepo/:_authToken=$NPM_TOKEN

Doesn't seem to pick up the .npmrc as i get a forbidden error when it access this private package

@motss

This comment has been minimized.

Show comment
Hide comment
@motss

motss Apr 5, 2017

I've been struggling with this issue for so long. We internally hosted our own private NPM repositories using Sonatype but couldn't install with Yarn but NPM worked just fine.

motss commented Apr 5, 2017

I've been struggling with this issue for so long. We internally hosted our own private NPM repositories using Sonatype but couldn't install with Yarn but NPM worked just fine.

@jonsharratt

This comment has been minimized.

Show comment
Hide comment
@jonsharratt

jonsharratt Apr 18, 2017

Contributor

We managed to get our Codebox private npm project (https://github.com/craftship/codebox-npm) working using the always-auth=true (craftship/codebox-npm#30) option in the .npmrc file.

Although you can get a hosted registry the project itself is completely open source so if your team uses GitHub (as it uses it for authentication) and you are on AWS you can deploy it pretty easily using the Serverless framework.

Just thought I would share.

Contributor

jonsharratt commented Apr 18, 2017

We managed to get our Codebox private npm project (https://github.com/craftship/codebox-npm) working using the always-auth=true (craftship/codebox-npm#30) option in the .npmrc file.

Although you can get a hosted registry the project itself is completely open source so if your team uses GitHub (as it uses it for authentication) and you are on AWS you can deploy it pretty easily using the Serverless framework.

Just thought I would share.

@erictapen erictapen referenced this issue in NixOS/npm2nix Apr 20, 2017

Open

scoped packages still fail #48

@sylvesteraswin

This comment has been minimized.

Show comment
Hide comment
@sylvesteraswin

sylvesteraswin Apr 21, 2017

I am also having the same issue with Sinopia. Did anyone find a solution for this?

I am also having the same issue with Sinopia. Did anyone find a solution for this?

@BohdanTkachenko

This comment has been minimized.

Show comment
Hide comment
@BohdanTkachenko

BohdanTkachenko Apr 22, 2017

It does not work properly in all environments with .npmrc located at ~/.npmrc. On my local machine it works fine, but when I'm running this in Docker, it does not see ~/.npmrc when cwd is not ~. You can check it with yarn config list command.

On my local machine it outputs:

yarn config v0.23.2
info yarn config
{ 'version-tag-prefix': 'v',
  'version-git-tag': true,
  'version-git-sign': false,
  'version-git-message': 'v%s',
  'init-version': '1.0.0',
  'init-license': 'MIT',
  'save-prefix': '^',
  'ignore-scripts': false,
  'ignore-optional': false,
  registry: 'https://registry.yarnpkg.com',
  'strict-ssl': true,
  'user-agent': 'yarn/0.23.2 npm/? node/v7.9.0 darwin x64',
  lastUpdateCheck: 1492804696073 }
info npm config
{ '//npm.example.com/:_authToken': 'XXXXX-YYYYYY-ZZZZZ',
  '@example:registry': 'https://npm.example.com/' }
✨  Done in 0.05s.

While inside of Docker it outputs:

root@a1c3c4fb1fb8:/app# yarn config list
yarn config v0.23.2
info yarn config
{ 'version-tag-prefix': 'v',
  'version-git-tag': true,
  'version-git-sign': false,
  'version-git-message': 'v%s',
  'init-version': '1.0.0',
  'init-license': 'MIT',
  'save-prefix': '^',
  'ignore-scripts': false,
  'ignore-optional': false,
  registry: 'https://registry.yarnpkg.com',
  'strict-ssl': true,
  'user-agent': 'yarn/0.23.2 npm/? node/v7.9.0 linux x64',
  lastUpdateCheck: 1492856034840,
  version: '0.23.2' }
info npm config
{ version: '0.23.2',
  loglevel: 'info' }
Done in 0.03s.

So it looks like it does not execute npm config correctly.

As temporary workaround for this, in Docker I just copy ~/.npmrc to /app/.npmrc.

It does not work properly in all environments with .npmrc located at ~/.npmrc. On my local machine it works fine, but when I'm running this in Docker, it does not see ~/.npmrc when cwd is not ~. You can check it with yarn config list command.

On my local machine it outputs:

yarn config v0.23.2
info yarn config
{ 'version-tag-prefix': 'v',
  'version-git-tag': true,
  'version-git-sign': false,
  'version-git-message': 'v%s',
  'init-version': '1.0.0',
  'init-license': 'MIT',
  'save-prefix': '^',
  'ignore-scripts': false,
  'ignore-optional': false,
  registry: 'https://registry.yarnpkg.com',
  'strict-ssl': true,
  'user-agent': 'yarn/0.23.2 npm/? node/v7.9.0 darwin x64',
  lastUpdateCheck: 1492804696073 }
info npm config
{ '//npm.example.com/:_authToken': 'XXXXX-YYYYYY-ZZZZZ',
  '@example:registry': 'https://npm.example.com/' }
✨  Done in 0.05s.

While inside of Docker it outputs:

root@a1c3c4fb1fb8:/app# yarn config list
yarn config v0.23.2
info yarn config
{ 'version-tag-prefix': 'v',
  'version-git-tag': true,
  'version-git-sign': false,
  'version-git-message': 'v%s',
  'init-version': '1.0.0',
  'init-license': 'MIT',
  'save-prefix': '^',
  'ignore-scripts': false,
  'ignore-optional': false,
  registry: 'https://registry.yarnpkg.com',
  'strict-ssl': true,
  'user-agent': 'yarn/0.23.2 npm/? node/v7.9.0 linux x64',
  lastUpdateCheck: 1492856034840,
  version: '0.23.2' }
info npm config
{ version: '0.23.2',
  loglevel: 'info' }
Done in 0.03s.

So it looks like it does not execute npm config correctly.

As temporary workaround for this, in Docker I just copy ~/.npmrc to /app/.npmrc.

@stereobooster

This comment has been minimized.

Show comment
Hide comment
@stereobooster

stereobooster Apr 26, 2017

found here https://github.com/uber/react-map-gl

yarn start v0.23.2
$ (cd examples/custom-interactions && (path-exists node_modules || yarn) && yarn run start-local)
sh: path-exists: command not found
yarn install v0.23.2
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
error An unexpected error occurred: "https://unpm.uberinternal.com/flow-remove-types/-/flow-remove-types-1.1.2.tgz: Request failed \"401 Unauthorized\"".
info If you think this is a bug, please open a bug report with the information provided in "/react-map-gl/examples/custom-interactions/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
error Command failed with exit code 1.

found here https://github.com/uber/react-map-gl

yarn start v0.23.2
$ (cd examples/custom-interactions && (path-exists node_modules || yarn) && yarn run start-local)
sh: path-exists: command not found
yarn install v0.23.2
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
error An unexpected error occurred: "https://unpm.uberinternal.com/flow-remove-types/-/flow-remove-types-1.1.2.tgz: Request failed \"401 Unauthorized\"".
info If you think this is a bug, please open a bug report with the information provided in "/react-map-gl/examples/custom-interactions/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
error Command failed with exit code 1.
@elibal

This comment has been minimized.

Show comment
Hide comment
@elibal

elibal May 8, 2017

I am also having the same issue with kendo-angular components.

C:\WorkingFolder\Projects\NG4\wck-management>yarn
yarn install v0.23.4
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
error An unexpected error occurred: "http://registry.npm.telerik.com/@progress%2
fkendo-angular-buttons/-/kendo-angular-buttons-1.0.0.tgz: Request failed "503 S
ervice Unavailable"".
info If you think this is a bug, please open a bug report with the information p
rovided in "C:\WorkingFolder\Projects\NG4\wck-management\yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this
command.

elibal commented May 8, 2017

I am also having the same issue with kendo-angular components.

C:\WorkingFolder\Projects\NG4\wck-management>yarn
yarn install v0.23.4
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
error An unexpected error occurred: "http://registry.npm.telerik.com/@progress%2
fkendo-angular-buttons/-/kendo-angular-buttons-1.0.0.tgz: Request failed "503 S
ervice Unavailable"".
info If you think this is a bug, please open a bug report with the information p
rovided in "C:\WorkingFolder\Projects\NG4\wck-management\yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this
command.

@bestander

This comment has been minimized.

Show comment
Hide comment
@bestander

bestander May 23, 2017

Member

It should be fixed now.
If you have some custom example where it does not work please open a new issue.
It is important to provide steps to reproduce in this cases.

Member

bestander commented May 23, 2017

It should be fixed now.
If you have some custom example where it does not work please open a new issue.
It is important to provide steps to reproduce in this cases.

@bestander bestander closed this May 23, 2017

@kachkaev

This comment has been minimized.

Show comment
Hide comment
@kachkaev

kachkaev May 23, 2017

Awesome @bestander! What's the minimum yarn version where it’s expected to work?

Awesome @bestander! What's the minimum yarn version where it’s expected to work?

@bestander

This comment has been minimized.

Show comment
Hide comment
@bestander

bestander May 23, 2017

Member
Member

bestander commented May 23, 2017

@klofi

This comment has been minimized.

Show comment
Hide comment
@klofi

klofi May 25, 2017

I can confirm that private scoped packages with scope and registry defined in .npmrc started working in Yarn 0.24.6 (did not work in Yarn 0.24.5). Thank you!

klofi commented May 25, 2017

I can confirm that private scoped packages with scope and registry defined in .npmrc started working in Yarn 0.24.6 (did not work in Yarn 0.24.5). Thank you!

@Mart112358

This comment has been minimized.

Show comment
Hide comment
@Mart112358

Mart112358 May 26, 2017

yarn install
yarn install v0.24.6
info No lockfile found.
[1/4] Resolving packages...
warning cldr-data > cldr-data-downloader > npmconf@2.0.9: this package has been reintegrated into npm and is now out of date with respect to npm
warning cldr-data > cldr-data-downloader > request > node-uuid@1.4.8: Use uuid module instead
[2/4] Fetching packages...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
error An unexpected error occurred: "http://registry.npm.telerik.com/@progress%2fkendo-angular-inputs/-/kendo-angular-inputs-1.0.3.tgz: ESOCKETTIMEDOUT".
info If you think this is a bug, please open a bug report with the information provided in "[...]\yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

yarn install
yarn install v0.24.6
info No lockfile found.
[1/4] Resolving packages...
warning cldr-data > cldr-data-downloader > npmconf@2.0.9: this package has been reintegrated into npm and is now out of date with respect to npm
warning cldr-data > cldr-data-downloader > request > node-uuid@1.4.8: Use uuid module instead
[2/4] Fetching packages...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
warning There appears to be trouble with your network connection. Retrying...
error An unexpected error occurred: "http://registry.npm.telerik.com/@progress%2fkendo-angular-inputs/-/kendo-angular-inputs-1.0.3.tgz: ESOCKETTIMEDOUT".
info If you think this is a bug, please open a bug report with the information provided in "[...]\yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

@beatrizaldaz

This comment has been minimized.

Show comment
Hide comment
@beatrizaldaz

beatrizaldaz May 30, 2017

yarn install v0.24.6
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
error An unexpected error occurred: "http://registry.npm.telerik.com/@progress%2fkendo-angular-l10n/-/kendo-angular-l10n-1.0.0.tgz: connect ETIMEDOUT 23.253.4.114:80".
info If you think this is a bug, please open a bug report with the information p
rovided in "....\yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this
command.

yarn install v0.24.6
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
error An unexpected error occurred: "http://registry.npm.telerik.com/@progress%2fkendo-angular-l10n/-/kendo-angular-l10n-1.0.0.tgz: connect ETIMEDOUT 23.253.4.114:80".
info If you think this is a bug, please open a bug report with the information p
rovided in "....\yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this
command.

@bestander

This comment has been minimized.

Show comment
Hide comment
@bestander

bestander May 30, 2017

Member

Looks like you can't connect to telerik.com, is http proxy configured?

Member

bestander commented May 30, 2017

Looks like you can't connect to telerik.com, is http proxy configured?

@beatrizaldaz

This comment has been minimized.

Show comment
Hide comment
@beatrizaldaz

beatrizaldaz May 30, 2017

The problem is yarn are searching by http://registry.npm.telerik.com, when I have configured yarn with strict-ssl to true:

info yarn config
{ 'version-tag-prefix': 'v',
'version-git-tag': true,
'version-git-sign': false,
'version-git-message': 'v%s',
'init-version': '1.0.0',
'init-license': 'MIT',
'save-prefix': '^',
'ignore-scripts': false,
'ignore-optional': false,
registry: 'https://registry.yarnpkg.com',
'strict-ssl': true,
'user-agent': 'yarn/0.24.6 npm/? node/v6.9.5 win32 x64',
lastUpdateCheck: 1496137030541 }
info npm config
{ 'strict-ssl': true,
'@progress:registry': 'https://registry.npm.telerik.com/',
'//registry.npm.telerik.com/:_authToken': '......' }
Done in 0.04s.

Previously I've configured the login with npm: "npm login --registry=https://registry.npm.telerik.com/ --scope=@progress"

It is neccesary that yarn searching for by "https" (https://registry.npm.telerik.com) :-)

Any idea what is the problem?

beatrizaldaz commented May 30, 2017

The problem is yarn are searching by http://registry.npm.telerik.com, when I have configured yarn with strict-ssl to true:

info yarn config
{ 'version-tag-prefix': 'v',
'version-git-tag': true,
'version-git-sign': false,
'version-git-message': 'v%s',
'init-version': '1.0.0',
'init-license': 'MIT',
'save-prefix': '^',
'ignore-scripts': false,
'ignore-optional': false,
registry: 'https://registry.yarnpkg.com',
'strict-ssl': true,
'user-agent': 'yarn/0.24.6 npm/? node/v6.9.5 win32 x64',
lastUpdateCheck: 1496137030541 }
info npm config
{ 'strict-ssl': true,
'@progress:registry': 'https://registry.npm.telerik.com/',
'//registry.npm.telerik.com/:_authToken': '......' }
Done in 0.04s.

Previously I've configured the login with npm: "npm login --registry=https://registry.npm.telerik.com/ --scope=@progress"

It is neccesary that yarn searching for by "https" (https://registry.npm.telerik.com) :-)

Any idea what is the problem?

@bestander

This comment has been minimized.

Show comment
Hide comment
@bestander

bestander May 30, 2017

Member
Member

bestander commented May 30, 2017

@beatrizaldaz

This comment has been minimized.

Show comment
Hide comment
@beatrizaldaz

beatrizaldaz May 30, 2017

OK, I will create a project, with a telerik trial account, to test the problem and I will send you the project link in github.

OK, I will create a project, with a telerik trial account, to test the problem and I will send you the project link in github.

@bestander

This comment has been minimized.

Show comment
Hide comment
@bestander

bestander May 30, 2017

Member

That would be great, @beatrizaldaz.
Can you open a new issue just for that case then?
It would be easier to track it isolated.

Member

bestander commented May 30, 2017

That would be great, @beatrizaldaz.
Can you open a new issue just for that case then?
It would be easier to track it isolated.

@dmiorandi

This comment has been minimized.

Show comment
Hide comment
@dmiorandi

dmiorandi Jun 13, 2017

About @beatrizaldaz post / Telerik. I've got same issue. In detail I've made some attemps
using following config (.npmrc). It seems almost to work but connections is made in http instead https
so is refused. Are there any temporary workaround about this (strict mode does not work)?

@progress:registry=https://registry.npm.telerik.com/
//registry.npm.telerik.com/:_authToken="YOUR_SECRET_HERE"
always-auth=true
registry="https://registry.npmjs.com/"

About @beatrizaldaz post / Telerik. I've got same issue. In detail I've made some attemps
using following config (.npmrc). It seems almost to work but connections is made in http instead https
so is refused. Are there any temporary workaround about this (strict mode does not work)?

@progress:registry=https://registry.npm.telerik.com/
//registry.npm.telerik.com/:_authToken="YOUR_SECRET_HERE"
always-auth=true
registry="https://registry.npmjs.com/"
@balanceiskey

This comment has been minimized.

Show comment
Hide comment
@balanceiskey

balanceiskey Jun 14, 2017

So I just ran into this yesterday (yarn was at 0.24.6). I'm not sure what exactly caused it as it's been working fine for awhile. My solution was to remove both the .npm folder and .npmrc file altogether, run yarn cache clean, login again with npm login and things appeared to work fine after that. I've been jumping between versions of node and npm via nvm more lately, possible culprit? Worth noting, I also uninstalled and reinstalled yarn with brew using the --ignore-dependencies flag at some point during troubleshooting, but that by itself did not resolve the issue.

balanceiskey commented Jun 14, 2017

So I just ran into this yesterday (yarn was at 0.24.6). I'm not sure what exactly caused it as it's been working fine for awhile. My solution was to remove both the .npm folder and .npmrc file altogether, run yarn cache clean, login again with npm login and things appeared to work fine after that. I've been jumping between versions of node and npm via nvm more lately, possible culprit? Worth noting, I also uninstalled and reinstalled yarn with brew using the --ignore-dependencies flag at some point during troubleshooting, but that by itself did not resolve the issue.

@balanceiskey

This comment has been minimized.

Show comment
Hide comment
@balanceiskey

balanceiskey Jun 14, 2017

One more note, if it's even relevant, when attempting yarn login during the course of these steps it would hang on the password prompt for some reason, which is why I did npm login.

One more note, if it's even relevant, when attempting yarn login during the course of these steps it would hang on the password prompt for some reason, which is why I did npm login.

@olalonde

This comment has been minimized.

Show comment
Hide comment

Related: #2738

@demurgos

This comment has been minimized.

Show comment
Hide comment
@demurgos

demurgos Nov 12, 2017

Hi,
It's been a few months: are there any news?

Hi,
It's been a few months: are there any news?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment