Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn not using auth property in .npmrc on different registry url #7191

Open
joeattardi opened this issue Apr 11, 2019 · 3 comments
Open

yarn not using auth property in .npmrc on different registry url #7191

joeattardi opened this issue Apr 11, 2019 · 3 comments

Comments

@joeattardi
Copy link

Do you want to request a feature or report a bug?
bug

What is the current behavior?

My company has a Nexus registry that hosts the package binaries. However, we access this registry through a proxy.

That is, the registry URL is set to https://nexus-proxy.mycompany.com/nexus/content/groups/npm-all/. When looking up a package on there, the URL to the binary points to the registry server itself, e.g. https://nexus.mycompany.com/nexus/content/groups/npm-all/somepackage/-/somepackage-0.1.0.tgz.

The basic authentication is stored base64 encoded in the .npmrc file.

The URL of the registry proxy is set as the registry in both .npmrc and .yarnrc.

When running a yarn or yarn add, the proxy is accessed no problem (returns a 200), but when going to download the actual binary from the actual registry server, a 401 is returned, I imagine because the authentication information is not being sent to the other URL.

What is the expected behavior?
yarn should pass the authentication information to the other URL when downloading binaries.

npm install does this properly, as does older versions of yarn (I tried 0.27.5).

Please mention your node.js, yarn and operating system version.

  • node 8.11.4
  • yarn 1.15.2
  • OS: MacOS Mojave
@brandon-leapyear
Copy link

brandon-leapyear commented Mar 19, 2020
edited
Loading

This is an old work account. Please reference @brandonchinn178 for all future communication

My company is also using Nexus, and instead of adding credentials to .npmrc or .yarnrc, we set the registry to https://<username>:<password>@nexus.build-leapyear.com/....

It seems like whenever we run bin/yarn.sh install --frozen-lockfile when our package.json specifies a version that's not in the lockfile, we get this 401 error. e.g.

// package.json
"foo": "0.2.0"

// yarn.lock
foo@0.1.0
  ...

(this happens because we're using yarn workspaces, and maybe someone adds a dependency on their branch, but master upgraded that dependency and updated the lockfile to only include the new version)

We noticed that when running with --verbose, we see a bunch of

verbose 1.xxxxx Performing "GET" request to "https://<username>:<password>@nexus.build-leapyear.com/..."

logs, but then later we see

verbose 1.xxxxx Performing "GET" request to "https://nexus.build-leapyear.com/..."

which is the command that fails. Possibly some branch in yarn-registry resolution doesn't account for user credentials?

@yhaskell
Copy link

After a year, this still happens. from --verbose I see that it gets the repository url, but it fails to actually use npm token, although it is specified in the file and npm install passes successfully.

@stevenroussey-privicy
Copy link

Same issue. yarn config list shows the token too...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joeattardi @yhaskell @brandon-leapyear @stevenroussey-privicy