Recent bump to NPM 8 has broken publishing to private registries

[rhiaxion]

The recent changes in this plugin caused an update from NPM 6 to NPM 8.
From NPM 7 the auth to private registries was changed (npm client issue reported here)

We are prevented from any form of rollback in our CI system as this plugin does not have any recent release version tags for the docker image.

The following error was encountered after no configuration changes were made to the release and the token used has been confirmed as valid. Using the skip_whoami setting only led to the same error during the npm publish step.

latest: Pulling from plugins/npm
Digest: sha256:5bed9f20467a401ab73d393afe54d86ad06464d7efe1e97b9efd1253295ae70e
Status: Downloaded newer image for plugins/npm:latest
time="2022-05-31T08:00:48Z" level=info msg="Token credentials being used"
time="2022-05-31T08:00:48Z" level=info msg="Found package.json" name=example-npm-package path=example-npm-package/package.json version=1.0.0
time="2022-05-31T08:00:48Z" level=info msg="Token credentials being used"
time="2022-05-31T08:00:48Z" level=info msg="Writing npmrc" path=/root/.npmrc
+ npm --version
8.1.3
+ npm config set registry ******
+ npm config set always-auth true
+ npm whoami
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`

EDIT: The auth issue is caused when the <registry>:_authToken= line in the .npmrc includes a standard http port 80 or 443 in the registry URL. When performing an npm login using the npm client with a registry URL containing a port the port is stripped from the generated <registry>:_authToken= line. This plugin writes the registry URL into the .npmrc without edit and so registry URLs containing ports are not supported during authentication using the client.

Valid config:

registry=<registry-with-port>
//<registry-no-port>:_authToken=<token>

Invalid config:

registry=<registry-with-port>
//<registry-with-port>:_authToken=<token>

[yauhen-vastraknutau-epam]

Used plugins/npm:1.0.0 as a workaround, works for me

[rhiaxion]

The image tag 1.0.0 is 5 years old 😞 so I didn't want to take the chance of other issues from old code. I patched the image myself to get around the issue while I wait for my PR to get merged and released.

[rodrigo-brito]

I had the same problem here.

[rodrigo-brito]

The 1.0.0 has an very old version of node and npm, it returns CERT error, i will wait for the update

[rhiaxion]

This appears to be a problem only with standard HTTP ports based on how Node parses the registry URL and does authToken matching.

A registry using standard HTTPS port 443 https://private.registry.com:443/ won't work but a registry with a non standard port should still work, eg. https://private.registry.com:3000/.

I've updated the fix to just strip standard HTTP ports 80 and 443 when writing the authToken.

[rodrigo-brito]

As a temporary solution, I replaced the plugin with a pure node container:

  - name: npm-publish
    image: node:16
    environment:
      REGISTRY_TOKEN:
        from_secret: npm_token
    commands:
      - npm set registry https://custom-regystry.com/
      - npm set //custom-regystry.com/:_authToken $REGISTRY_TOKEN
      - npm config set always-auth true
      - npm publish

To get a token: npm token create --registry https://custom-regystry.com/

[donny-dont]

@rodrigo-brito the fix from @rhiaxion was merged in #62 but the build was 🔴 . Its being addressed in #63 so if anyone watching this issue is comfortable building the plugin and testing it on their setup it would help us resolve this issue. 🙏

[rodrigo-brito]

Hi @donny-dont, I compiled the binary to the release folder, and create the docker image, but I'm receiving the error: exec /bin/drone-npm: no such file or directory
But the binary exists in this path:

I'm using Linux amd64. The binary is generated with: go build -v -a -tags netgo -o release/linux/amd64/drone-npm cmd/drone-npm/*.go

[rhiaxion]

I built the master branch and update-build branch with the following commands and both images worked against my registry.

export GOOS=linux
export GOARCH=amd64
export CGO_ENABLED=0
export GO111MODULE=on

go build -v -a -tags netgo -o release/linux/amd64/drone-npm ./cmd/drone-npm
docker build --file docker/Dockerfile.linux.amd64 --tag plugins/npm:test .

[rodrigo-brito]

I tested with the master version and the problem persists here.

[donny-dont]

@rodrigo-brito I pushed a new official version. Please make sure you have pull: always on and let me know if it worked. If it doesn't please try and provide enough information that we can chase it down.

@rhiaxion thanks for all the help with the PRs. Let me know if there are any issues with your setup as well.

[rodrigo-brito]

I'm trying to understand my issue. I think it is related to another problem, I will try to debug better and fix it. Thank you @donny-dont

[donny-dont]

@rodrigo-brito happy to try and help whenever you have more information. I'll probably close this issue once @rhiaxion confirms but please feel free to open another if there's an issue you find.

[rodrigo-brito]

Ok, thank you!

[rhiaxion]

Switched back to the Docker Hub plugins/npm:latest image and it seems to be working OK for my setup again.
@donny-dont could we get a SemVer release tag so I can pin the image? Image version 1.0.0 is 5 years old.

[sagrawal31]

Though ours is a public repo but we recently started to face this problem on our GitLab CI, where we are using node:latest and the npm publish --access public-

npm notice === Tarball Details === 
npm notice name:          @letscooee/cordova-plugin               
npm notice version:       1.3.8                                   
npm notice filename:      @letscooee/cordova-plugin-1.3.8.tgz     
npm notice package size:  14.4 kB                                 
npm notice unpacked size: 51.0 kB                                 
npm notice shasum:        821dfc26d862d61e6237854560534e3f195e9[52](https://gitlab.com/letscooee/avengers/cordova-plugin/-/jobs/2734419273#L52)2
npm notice integrity:     sha512-vqXLcxqg7ORGA[...]06rI2X3N/lWrA==
npm notice total files:   25                                      
npm notice 
npm notice Publishing to https://registry.npmjs.org/
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/@letscooee%2fcordova-plugin - Not found
npm ERR! 404 
npm ERR! 404  '@letscooee/cordova-plugin@1.3.8' is not in this registry.
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2022-07-18T10_[57](https://gitlab.com/letscooee/avengers/cordova-plugin/-/jobs/2734419273#L57)_26_488Z-debug-0.log

We are writing the access token to ~/.npmrc from our CI variable.

[lpreterite]

I have the same problem.

I use the original repository code and make a new image based on the tarampampam/node image.

FROM tarampampam/node:12.22-alpine

ADD release/linux/amd64/drone-npm /bin/

CMD ["/bin/drone-npm"]

• repository: lpreterite/drone-npm
• docker image: lpreterite/drone-plugin-npm-publish

The npm version under this implementation can be controlled at version 6.

[LJ1102]

I seem to experience the issue in the original post, I tried (temporarily) downgrading but 1.0.0 doesn't work for me either (auth works but publish results in a timeout). Docker Hub says the latest version is: sha256:27c87a52b6294c297e3fd8e920b085fe87ce51c4488d82b71867d65cd3a8c97d
however my output (with and without pull:always) shows:

latest: Pulling from plugins/npm
Digest: sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a
Status: Image is up to date for plugins/npm:latest

Publishing works when running locally, the image digests i'm getting from docker images --digests is:
plugins/npm latest sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a

I don't understand why I'm not getting the image that's on dockerhub?

Full output from server

1 | latest: Pulling from plugins/npm
2 | Digest: sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a
3 | Status: Image is up to date for plugins/npm:latest
4 | time="2022-11-15T14:28:27Z" level=info msg="Specified credentials" email=npm@mydomain.com username=myusername
5 | time="2022-11-15T14:28:27Z" level=info msg="Found package.json" name=@mynamespace/mypackage path=package.json version=2.0.0
6 | time="2022-11-15T14:28:27Z" level=info msg="Specified credentials" email=npm@mydomain.com username=myusername
7 | time="2022-11-15T14:28:27Z" level=info msg="Writing npmrc" path=/root/.npmrc
8 | + npm --version
9 | 8.1.3
10 | + npm config set registry https://npm.mydomain.com
11 | + npm config set always-auth true
12 | + npm whoami
13 | npm ERR! code ENEEDAUTH
14 | npm ERR! need auth This command requires you to be logged in.
15 | npm ERR! need auth You need to authorize this machine using `npm adduser`
16 |  
17 | npm ERR! A complete log of this run can be found in:
18 | npm ERR!     /root/.npm/_logs/2022-11-15T14_28_31_617Z-debug.log
19 | time="2022-11-15T14:28:31Z" level=error msg="execution failed: could not authenticate: exit status 1"

Any hints on how to debug this further would be greatly appreciated.