-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yarn does not honor authentication settings in .npmrc #4451
Comments
This should be fixed in 1.0.2 which was released yesterday. Can you give it a spin? |
Could you paste your npmrc file here so we could try to reproduce (obviously edit out secrets or other private info) |
@KidkArolis while trying to get my working dir as clean as possible, it somehow fixed the issue? 🙃 Steps I took:
That seems to have worked. I am going to chalk this up as a user error on mine and my team's end. |
@beardedtim What about if you now blow away |
I am experiencing this issue (404 on private scoped repo, whichever registry I use) for yarn versions 1.0.1, and 1.0.2. Version 0.27.5 worked after clearing some artifacts. I have tried all the workarounds discussed in #4157. Happy to post logs if it will help. |
@stieg I will try that later today when I get a free moment around lunch and post results. I believe I still got the 404 error but I've tried so many things at this point, who knows! |
Has anyone found a solution to this? |
FWIW: I tried with:
My
And my
The
|
Interesting. After putting the registry in my |
I tried on a fresh install (Debian this time, the other was macOS) and having these settings in |
Closing as people reporting this was resolved. Reopen with concrete reproduction steps if it is not resolved for you @carlosduclos please. |
@BYK I had the same problem. |
@BYK It may help to note that everyone who has "reported as resolved" has used the workaround of forcing yarn to use the https://registry.npmjs.org registry. I think there is still a problem retrieving private packages from the https://registry.yarnpkg.com registry, however, and this is the default registry used by yarn (is it still just a reverse proxy? perhaps it's not honouring auth headers?). Concrete reproduction steps
Expected resultsPackage installs successfully. Actual results❤ @up ➜ REPO git:(master) ★ yarn add @SCOPE/PACKAGE
yarn add v1.1.0
info No lockfile found.
[1/5] Validating package.json...
[2/5] Resolving packages...
error An unexpected error occurred: "https://registry.npmjs.org/@SCOPE%2fPACKAGE: Not found".
info If you think this is a bug, please open a bug report with the information provided in "/home/katy/dev/REPO/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command. |
If project maintainers find @kmoe's instructions to be reproducible, this ticket should be reopened (at least for the sake of existing subscribers). |
I agree with @kmoe, the underlying issue is not fixed even in recent versions of yarn. Please reopen the issue. Yes, we have a workaround, but workaround != solution in this case. |
FWIW, this is still a problem in 1.1.0. I just verified it (came back here for the workaround, namely |
I am having this problem in yarn 1.3.2 and it is breaking our builds right now. It worked fine on yarn 0.27.5. We require an auth token from the Reproduction steps:
|
Related: #4672 |
@stewx I'm also having the same problem on 1.3.2. Did you find a fix or a way around it? |
@jamesone Nope, I downgraded to something like 0.27. It's a deal-breaker for our project. |
It feels so wrong to version lock at 0.27.5 just to circumvent this one issue, but it seems like many are doing just that or redirecting If frequent project contributors don't have time to fix this in the short term, would somebody be willing to suggest codebase location(s) where a fix is most likely to succeed, in the hopes that a community PR will be opened? 🤔 |
@Bnaya When you say reinstall, do you mean remove |
yarn remove yourprivatepackage; yarn add yourprivatepackage And in the lock file you will see I would suggest adding the .yarnrc next to your package.json |
Happening to me too, I was hoping I could get it to work with only |
I think this is what I'm running into. It works when |
This solved it for me: #4451 (comment) |
Make sure you don't have - @4r7d3c0:registry=https://npm.pkg.github.com/4r7d3c0
+ @4r7d3c0:registry=https://npm.pkg.github.com As per doc, |
For those who use aliases check this workaround: #8130 (comment) |
Had to split user-level Contents of
Contents of
Until i moved the ^ named family package registry entry to project-level For Docker build mount them separately:
Docker build command:
(Note, that i did NOT need |
I've digged a little bit arround and it seems yarn uses the wrong auth credentials. ~/.npmrc //npm-old.visualon.de/npm/vo-npm/:_password=XXXXXX
//npm-old.visualon.de/npm/vo-npm/:username=kriese
//npm-old.visualon.de/npm/vo-npm/:always-auth=true
//npm-new.visualon.de/:_authToken="XXXXXX" package.json {
"name": "yarn-auth",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"dependencies": {
"tslib": "^2.0.1",
"moment": "2.20.1"
}
}
yarn.lock
While trying to install yarn sends the |
If anyone still faces it, this is what worked for me.
|
Not sure if anyone faces a similar problem, but maybe this will help someone save a bit of time: I am using Azure Artifacts as a private registry and had set up the PAT and .npmrc files as documented there. |
Yarn is really a weird tool: Found another bug with the same kind of issues. I think I know why is yarn so bugged with custom package registries. I successfully got yarn to download and install properly any private package from a gitlab private registry. To do it you need to specify absolutely ALL redirections with the same token! Yarn is unable to infer the token based on the base address. It infers tokens based on the FULL address - the package name. Example: Won't work cause when downloading package the client is redirected to //gitlab.xxxx.yyy/api/v4/projects/z/packages/npm/ but here is the problem the other address is not exactly matched in the rc file
Will work; now all addresses are explicitely using the same token
|
I've seen this too, yarn only supports one auth per domain 😕 |
This is still an issue... |
This behavior won't be changed in the 1.x line. Starting from 2.x, Yarn now exclusively reads from the |
@arcanis I appreciate you closing this - but I have a similar error when using Yarn 2 and .yarnrc.yml with a private Azure Artifacts repo. If you set
I continue to receive this error: ➤ YN0001: │ HTTPError: @:@npm:1.3.0: Response code 405 (Method Not Allowed) Do you have any ideas associated? I have followed the steps highlighted in yarnpkg/berry#316 to no avail. |
@arcanis any update on this error? Your help is greatly appreciated! |
Try commenting on the V2 issue so that people using Azure Artifacts there can help |
@BenteleFlorian your suggestion was the answer here. Those ADO setup tips still encode Before https://pkgs.dev.azure.com/foo/_packaging/bar%40Local/npm/registry/ After https://pkgs.dev.azure.com/foo/_packaging/bar@Local/npm/registry/ |
Came here with the same issue on a private Verdaccio registry, none of this solved it. Found a solution and wrote it up here: #6405 (comment) Basically, make sure that no auth token for |
yarn only use token from .npmrc for the first time |
I have this exact case, if i try to build with no yarn.lock, works fine if i use the yarn.lock it fails @Diluka you had any luck on fixing this? |
This problem is the token not stored in lock file. And it will use only the url stored in lock file to download packages. So I do this in Dockerfile... ADD .npmrc .
RUN yarn add [email protected]
RUN yarn add [email protected]
ADD package.json .
ADD yarn.lock .
RUN yarn |
In .npmrc file add below
Will work in every case |
THIS WORKS (QFE, because it's actually the solution)
I have reproduced this behavior. Note that leaving out the trailing slashwill also cause a 401 auth fail. THIS DOES NOT WORK FOR ME:
Maybe this is documented behavior? I'm not an expert! :) The _authToken line and the registry line must match exactly and have a trailing slash. I missed this solution because when I tried it, I did not use a trailing slash. (A trailing slash is not necessary for other functionality to work, so it never occurred to me this could be a problem with auth.) This is with yarn 1.22. In unrelated news: Note that recent versions of NPM will loudly complain if _authToken is specified globally and not with a domain. This will cause some packages to fail to install, and is correct behavior. However, most of the online advice for working around this issue suggest using a bare _authToken= in .npmrc, which yarn still accepts. Then, later, one of my packages will error out because it's not actually a valid .npmrc. So... I thought I would mention that here next to the rest of the code that works for me for searching. I think it is likely people will migrate to yarn 2 and this behavior will not be updated, so... THIS. :) YARN ACCEPTS THIS BUT NPM NO LONGER DOES, WHICH BREAKS PACKAGES:
(Props to Yuri6037. You made my week.) |
Do you want to request a feature or report a bug?
BUG
What is the current behavior?
Yarn does not honor .npmrc
If the current behavior is a bug, please provide the steps to reproduce.
We require authentication for one of our repositories and we used to do this by specifying the authentication in .npmrc. This worked up to 0.28.4 but broke in 1.0.0
What is the expected behavior?
Honoring the authentication settings in .npmrc
Please mention your node.js, yarn and operating system version.
It happens after upgrading yarn to 1.0.0/1.0.1 (have tried both versions). Regardless of OS and nodejs version.
The text was updated successfully, but these errors were encountered: