Yarn publish fails silently when not authorized

[namelessvoid]

Do you want to request a feature or report a bug?
bug

May be related to #6200

What is the current behavior?
When doing a yarn pbulish to a private registry (with credentials provided as _auth within an .npmrc): If the credentials are invalid, yarn reports an error (when using--verbose) but still finishes "successfully":

$ yarn publish --new-version 0.0.1 --verbose
yarn publish v1.15.2
warning package.json: No license field
...
verbose 0.273 current time: 2019-03-28T10:22:11.018Z
warning package.json: No license field
[1/4] Bumping version...
info Current version: 0.0.1
[2/4] Logging in...
[3/4] Publishing...
verbose 0.471 Performing "PUT" request to "https://some-private-regisitry/my-package".
verbose 0.63 Request "https://some-private-regisitry/my-package" finished with status code 401.
success Published.
[4/4] Revoking token...
info Not revoking login token, specified via config file.
Done in 0.45s

$ echo $?
0

Without using --verbose the publish process seems to have succeeded and I've been wondering where my package is. Only using verbosity helped me to see that I have not been authorized to the registry.

My .npmrc looks like

email=me@example.com
registry=https://some-private-regisitry
_auth=bXktdXNlcjpteS1wYXNzd29yZA==

If the current behavior is a bug, please provide the steps to reproduce.

1. Have some private npm registry
2. Create an .npmrc like above
3. run yarn publish

What is the expected behavior?

Yarn should fail with a) an error telling the user that authorization failed and b) non-zero exit code.

Please mention your node.js, yarn and operating system version.

node version: v10.15.3
yarn version: 1.15.2
OS: Windows 10 with a git bash

[bennyscetbun]

Still an issue in 1.22.10 on mac os

[loganknecht]

Can confirm, this is still an issue for me as well
Version 1.22.10

[shcallaway]

I can confirm this is fixed in 1.22.19, however a different problem exists: yarn still increments the semver in my package.json, even when yarn publish fails!

➜  request-logger (data-server) yarn --version                                                          ✗ ✭ ✱
1.22.19
➜  request-logger (data-server) yarn publish --verbose                                                  ✗ ✭ ✱
yarn publish v1.22.19
verbose 0.155121206 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/request-logger/.npmrc".
verbose 0.15537597 Checking for configuration file "/Users/sherwoodcallaway/.npmrc".
verbose 0.155650507 Found configuration file "/Users/sherwoodcallaway/.npmrc".
verbose 0.156086365 Checking for configuration file "/usr/local/Cellar/node/18.4.0/etc/npmrc".
verbose 0.156604799 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/request-logger/.npmrc".
verbose 0.156793444 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/.npmrc".
verbose 0.156946367 Checking for configuration file "/Users/sherwoodcallaway/code/.npmrc".
verbose 0.157101287 Checking for configuration file "/Users/sherwoodcallaway/.npmrc".
verbose 0.157283499 Found configuration file "/Users/sherwoodcallaway/.npmrc".
verbose 0.157605611 Checking for configuration file "/Users/.npmrc".
verbose 0.159043956 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/request-logger/.yarnrc".
verbose 0.159198117 Checking for configuration file "/Users/sherwoodcallaway/.yarnrc".
verbose 0.159430076 Found configuration file "/Users/sherwoodcallaway/.yarnrc".
verbose 0.159741938 Checking for configuration file "/usr/local/Cellar/node/18.4.0/etc/yarnrc".
verbose 0.159891783 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/request-logger/.yarnrc".
verbose 0.160024326 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/.yarnrc".
verbose 0.160207567 Checking for configuration file "/Users/sherwoodcallaway/code/.yarnrc".
verbose 0.160301092 Checking for configuration file "/Users/sherwoodcallaway/.yarnrc".
verbose 0.16039753 Found configuration file "/Users/sherwoodcallaway/.yarnrc".
verbose 0.160600964 Checking for configuration file "/Users/.yarnrc".
verbose 0.163238943 current time: 2022-09-06T20:53:08.709Z
[1/4] Bumping version...
info Current version: 1.0.3
question New version: 1.0.4
info New version: 1.0.4
[2/4] Logging in...
[3/4] Publishing...
$ yarn clean && yarn build
yarn run v1.22.19
$ rm -rf dist
✨  Done in 0.04s.
yarn run v1.22.19
$ tsc
✨  Done in 0.83s.
verbose 5.578994625 Performing "PUT" request to "https://registry.yarnpkg.com/@opkit%2frequest-logger".
verbose 6.021769758 Request "https://registry.yarnpkg.com/@opkit%2frequest-logger" finished with status code 401.
info Two factor authentication enabled.
question npm one-time password: asdf
verbose 10.105643673 Performing "PUT" request to "https://registry.yarnpkg.com/@opkit%2frequest-logger".
verbose 10.376272548 Request "https://registry.yarnpkg.com/@opkit%2frequest-logger" finished with status code 401.
verbose 10.388837438 Error: Couldn't publish package: "Incorrect one-time password."
    at MessageError.ExtendableBuiltin (/Users/sherwoodcallaway/.yarn/lib/cli.js:721:66)
    at new MessageError (/Users/sherwoodcallaway/.yarn/lib/cli.js:750:123)
    at /Users/sherwoodcallaway/.yarn/lib/cli.js:86528:13
    at Generator.throw (<anonymous>)
    at step (/Users/sherwoodcallaway/.yarn/lib/cli.js:310:30)
    at /Users/sherwoodcallaway/.yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
error Couldn't publish package: "Incorrect one-time password."
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.
➜  request-logger (data-server) echo $?                                                                 ✗ ✭ ✱
1

Note that exit code is 1, but in my package.json, the version field has been updated to 1.0.4.

Now, when I revert my package.json and attempt to publish again, Yarn still thinks that version 1.0.4 exists:

➜  request-logger (data-server) yarn publish --verbose                                                  ✗ ✭ ✱
yarn publish v1.22.19
verbose 0.162328455 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/request-logger/.npmrc".
verbose 0.162574387 Checking for configuration file "/Users/sherwoodcallaway/.npmrc".
verbose 0.162832776 Found configuration file "/Users/sherwoodcallaway/.npmrc".
verbose 0.163150757 Checking for configuration file "/usr/local/Cellar/node/18.4.0/etc/npmrc".
verbose 0.163319336 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/request-logger/.npmrc".
verbose 0.163558628 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/.npmrc".
verbose 0.163692719 Checking for configuration file "/Users/sherwoodcallaway/code/.npmrc".
verbose 0.163895108 Checking for configuration file "/Users/sherwoodcallaway/.npmrc".
verbose 0.164087404 Found configuration file "/Users/sherwoodcallaway/.npmrc".
verbose 0.164323709 Checking for configuration file "/Users/.npmrc".
verbose 0.165940038 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/request-logger/.yarnrc".
verbose 0.166107685 Checking for configuration file "/Users/sherwoodcallaway/.yarnrc".
verbose 0.166321309 Found configuration file "/Users/sherwoodcallaway/.yarnrc".
verbose 0.166526708 Checking for configuration file "/usr/local/Cellar/node/18.4.0/etc/yarnrc".
verbose 0.166645779 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/request-logger/.yarnrc".
verbose 0.166759578 Checking for configuration file "/Users/sherwoodcallaway/code/opkit/.yarnrc".
verbose 0.166937852 Checking for configuration file "/Users/sherwoodcallaway/code/.yarnrc".
verbose 0.167075389 Checking for configuration file "/Users/sherwoodcallaway/.yarnrc".
verbose 0.167189533 Found configuration file "/Users/sherwoodcallaway/.yarnrc".
verbose 0.167394611 Checking for configuration file "/Users/.yarnrc".
verbose 0.170392298 current time: 2022-09-06T20:56:31.266Z
[1/4] Bumping version...
info Current version: 1.0.3
question New version: 1.0.4
info New version: 1.0.4
[2/4] Logging in...
[3/4] Publishing...
$ yarn clean && yarn build
yarn run v1.22.19
$ rm -rf dist
✨  Done in 0.04s.
yarn run v1.22.19
$ tsc
✨  Done in 0.86s.
verbose 4.16956833 Performing "PUT" request to "https://registry.yarnpkg.com/@opkit%2frequest-logger".
verbose 4.446877651 Request "https://registry.yarnpkg.com/@opkit%2frequest-logger" finished with status code 401.
info Two factor authentication enabled.
question npm one-time password: 106706
verbose 10.863240256 Performing "PUT" request to "https://registry.yarnpkg.com/@opkit%2frequest-logger".
verbose 11.449396493 Request "https://registry.yarnpkg.com/@opkit%2frequest-logger" finished with status code 403.
verbose 11.461220779 Error: Couldn't publish package: "https://registry.yarnpkg.com/@opkit%2frequest-logger: You cannot publish over the previously published versions: 1.0.4."
    at MessageError.ExtendableBuiltin (/Users/sherwoodcallaway/.yarn/lib/cli.js:721:66)
    at new MessageError (/Users/sherwoodcallaway/.yarn/lib/cli.js:750:123)
    at /Users/sherwoodcallaway/.yarn/lib/cli.js:86528:13
    at Generator.throw (<anonymous>)
    at step (/Users/sherwoodcallaway/.yarn/lib/cli.js:310:30)
    at /Users/sherwoodcallaway/.yarn/lib/cli.js:323:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
error Couldn't publish package: "https://registry.yarnpkg.com/@opkit%2frequest-logger: You cannot publish over the previously published versions: 1.0.4."
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.

This means I can never actually publish version 1.0.4...

[i4rilu]

It's not fixed in 1.22.19, unfortunately:

yarn run v1.22.19
verbose 12.2257901 Performing "PUT" request to "https://pkgs.dev.azure.com/************".
verbose 13.8441464 Request "https://pkgs.dev.azure.com/**************" finished with status code 401.
success Published.
[4/4] Revoking token...
info Not revoking login token, specified via config file.
Done in 13.70s.