[BUG] npm publish and npm install fail depending on .npmrc syntax used

[jordanthornquest]

Current Behavior:

I am attempting to configure a project to install dependencies from NPM. I will be publishing the project to GitHub Packages as a private package. If I use this syntax in my project's .npmrc:

@my-org:registry=https://npm.pkg.github.com/

I can install dependencies from NPM using npm install on my local machine. However, I cannot publish to GitHub Packages using npm publish. NPM informs me that I'm not authenticated. If I use this syntax in my project's .npmrc:

registry=https://npm.pkg.github.com/my-org/

I can publish using npm publish, but I cannot install dependencies with npm install. NPM informs me that it's trying to install dependencies from GitHub Packages, rather than NPM.

Expected Behavior:

Based on my reading, both syntaxes should be compatible with npm install and npm publish. However, it appears I can only use one or the other, based on my intended use.

Steps To Reproduce:

1. Install Node v15.7.0 and NPM 7.4.3 via nvm.

2. Log in to GitHub Packages with the command:

   npm login --scope=@my-org --registry=https://npm.pkg.github.com

3. Check our ~/.npmrc file in our home folder. It should read:

   @my-org:registry=https://npm.pkg.github.com/
   //npm.pkg.github.com/:_authToken=<auth-token-used-for-login>
   

4. Create project with the following package.json:

   {
     "name": "@my-org/my-package",
     "description": "A test.",
     "version": "1.0.0",
     "scripts": {
       "test": "echo \"Error: no test specified\" && exit 1"
     },
     "repository": {
       "type": "git",
       "url": "https://github.com/my-org/my-package.git"
     },
     "keywords": ["example"],
     "author": "Me",
     "license": "ISC",
     "bugs": {
       "url": "https://github.com/my-org/my-package/issues"
     },
     "homepage": "https://github.com/my-org/my-package",
     "dependencies": {
       "bootstrap": "^4.5.2"
     }
   }

5. Add the following .npmrc to our project:

   @my-org:registry=https://npm.pkg.github.com/
   

6. Run npm install. Installation should succeed.

7. Run npm publish. Receive the following error:

   npm ERR! code ENEEDAUTH
   npm ERR! need auth This command requires you to be logged in.
   npm ERR! need auth You need to authorize this machine using `npm adduser`
   
   npm ERR! A complete log of this run can be found in:
   npm ERR!     /Users/my-user/.npm/_logs/2021-01-28T20_19_55_974Z-debug.log

8. Change the project .npmrc to:

   registry=https://npm.pkg.github.com/my-org/
   

9. Run npm publish. Publishing should succeed.

10. rm -rf node_modules/ package-lock.json in project.

11. Run npm install. Receive following error:

    npm ERR! code E401
    npm ERR! Incorrect or missing password.
    npm ERR! If you were trying to login, change your password, create an
    npm ERR! authentication token or enable two-factor authentication then
    npm ERR! that means you likely typed your password in incorrectly.
    npm ERR! Please try again, or recover your password at:
    npm ERR!     https://www.npmjs.com/forgot
    npm ERR!
    npm ERR! If you were doing some other operation then your saved credentials are
    npm ERR! probably out of date. To correct this please try logging in again with:
    npm ERR!     npm login
    
    npm ERR! A complete log of this run can be found in:
    npm ERR!     /Users/my-user/.npm/_logs/2021-01-28T20_38_20_711Z-debug.log
    

Environment:

• OS:
  • MacOS Catalina 10.15.7 (Intel Mac Mini)
  • MacOS Big Sur 11.1 (Apple Silicon MacBook AIr)
• Node: 15.7.0
• npm:
  • 7.4.3
  • 7.5.2

[jordanthornquest]

Using publishConfig does not fix the issue with either .npmrc configuration. However, using the command-line --registry flag works.

When using the following project .npmrc syntax:

@my-org:registry=https://npm.pkg.github.com/

If I run npm publish --registry=https://npm.pkg.github.com/, I can publish successfully. In addition, I can install dependencies without issue.

[wraithgar]

I'm having trouble replicating this locally. I can publish just fine using the config setup mentioned.

Here's the output of npm config list

$ npm config list
; "builtin" config from /Users/wraithgar/.nvm/versions/node/v14.15.4/lib/node_modules/npm/npmrc

foo = "bar" 
pid = "6284" 

; "user" config from /Users/wraithgar/.npmrc

@npm:registry = "https://npm.pkg.github.com" 
; @wraithgar:registry = "https://npm.pkg.github.com" ; overridden by project
//npm.pkg.github.com/:_authToken = (protected) 
//registry.npmjs.org/:_authToken = (protected) 
init.author.email = "gar+npm@danger.computer" 
init.author.name = "Gar" 

; "project" config from /Users/wraithgar/Development/npm/gh-registry-test/.npmrc

@wraithgar:registry = "https://npm.pkg.github.com/" 

; "cli" config from command line options

omit = [] 
user-agent = "npm/7.5.2 node/v14.15.4 darwin x64" 

; node bin location = /Users/wraithgar/.nvm/versions/node/v14.15.4/bin/node
; cwd = /Users/wraithgar/Development/npm/gh-registry-test
; HOME = /Users/wraithgar
; Run `npm config ls -l` to show all defaults.

And the package.json

{
  "name": "@wraithgar/gh-registry-test",
  "version": "1.0.1",
  "description": "github registry test package",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "Gar <gar+npm@danger.computer>",
  "license": "ISC",
  "dependencies": {
    "bootstrap": "^4.6.0"
  }
}

With or without a package-lock, or having the packages installed, publishing works just fine.

Can you share the output of npm config list?

[jordanthornquest]

Sure thing. This is the output of running npm config list in my project.

; "user" config from /Users/jst/.npmrc

; @my-org:registry = "https://npm.pkg.github.com/" ; overridden by project
//npm.pkg.github.com/:_authToken = (protected)

; "project" config from /Users/jst/Code/my-project/.npmrc

@my-org:registry = "https://npm.pkg.github.com/"

; "cli" config from command line options

omit = []
user-agent = "npm/7.5.2 node/v15.7.0 darwin arm64"

; node bin location = /Users/jst/.nvm/versions/node/v15.7.0/bin/node
; cwd = /Users/jst/Code/my-project
; HOME = /Users/jst
; Run `npm config ls -l` to show all defaults.

[robross0606]

I'm seeing something similar. npm v7 was just "released" and now all our npm publish calls are breaking to our locally scoped repository. Previously, doing these two commands would generate a usable .npmrc file for our environment:

npm config set @privatescope:registry https://my.server.org/repository/npm-internal/
npm adduser --registry=https://my.server.org/repository/npm-internal/ --always-auth

This still generates an .npmrc file that looks identical between npm v6 and npm v7.

@privatescope:registry =https://my.server.org/repository/npm-internal/
//my.server.org/repository/npm-internal/:_authToken=NpmToken.9fb28705-7e5b-3ea9-894b-06f7d898886c

However, attempting to use it fails on v7:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\user\AppData\Local\npm-cache\_logs\2021-02-02T20_51_38_576Z-debug.log

[robross0606]

I can also confirm that adding --registry= to the npm publish call temporarily works around the problem.

[wraithgar]

ok! I was able to duplicate this locally be removing the login token for registry.npmjs.org from my /.npmrc file. Looking into it deeper now that I can see the bug locally.

[wraithgar]

I'm glad that the --registry cli flag temporarily fixes things.

If this is not feasible for your current setup, but adding a line to your npmrc file is something you can do, another temporary fix is to add a dummy token for registry.npmjs.org.

[robross0606]

If this is not feasible for your current setup, but adding a line to your npmrc file is something you can do, another temporary fix is to add a dummy token for registry.npmjs.org.

I am trying to use a different internal repository. It is not clear to me how (if?) your suggested workaround fixes things.

[wraithgar]

If this is not feasible for your current setup, but adding a line to your npmrc file is something you can do, another temporary fix is to add a dummy token for registry.npmjs.org.

I am trying to use a different internal repository. It is not clear to me how (if?) your suggested workaround fixes things.

The bug is fixed in this PR #2602

What happens is that currently the cli is only looking for your configured "registry" setting when seeing if you have logged in. So the temporary solution is either to override that setting (as you were doing by passing --registry), OR to add a token for the default (npm) registry so that the check for a token does not fail. The check is only looking for the presence of a token in the config, it's not validating it (that of course will happen when and if it is used during an actual request), so putting a dummy value in will stop the error until that PR lands.

[robross0606]

add a token for the default (npm) registry

Sorry for being dumb about this, but can you provide an example of what a "dummy token" would look like in the .npmrc file? Also, will that prevent us from accessing packages from the default registry? We only use our internal repository for special package scopes, not for everything.

[wraithgar]

add a token for the default (npm) registry

Sorry for being dumb about this, but can you provide an example of what a "dummy token" would look like in the .npmrc file?

Not at all! Here's what I used locally to test that approach:

//registry.npmjs.org/:_authToken=dummy

Also, will that prevent us from accessing packages from the default registry? We only use our internal repository for special package scopes, not for everything.

Very good question. No it will not, that token is only ever inspected by the npm registry for things that actually require auth (i.e. publishing, reading private scoped packages, star/unstar). A request for a public (scoped or unscoped) package won't be affected by a bad auth token.

[wraithgar]

Just a reminder that's still a temporary solution, it'd of course be best to remove the dummy token once that PR lands.

[robross0606]

Just a reminder that's still a temporary solution, it'd of course be best to remove the dummy token once that PR lands.

Yep, thanks. I can confirm that works and is a much easier workaround when doing manual publishing.

[mmdkh112233]

I have this problem
$ npm i
npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
npm ERR! code ENOTFOUND
npm ERR! errno ENOTFOUND
npm ERR! network request to https://registry.npmjs.org/acorn/-/acorn-7.3.1.tgz failed, reason: getaddrinfo ENOTFOUND proxy.admworld.com
npm ERR! network This is a problem related to network connectivity.
npm ERR! network In most cases you are behind a proxy or have bad network settings.
npm ERR! network
npm ERR! network If you are behind a proxy, please make sure that the
npm ERR! network 'proxy' config is set properly. See: 'npm help config'

npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\Shahab\AppData\Roaming\npm-cache_logs\2021-02-04T08_53_02_399Z-debug.log

[wraithgar]

This should be fixed now as of v7.5.3, you no longer need to have a token for the npm registry in order to have a scope-specific registry override/auth in your npmrc file.

[robross0606]

Unfortunately, #2639 prevented a clean update to v7.5.3. 😢