[BUG] Permission denied when installing a git+ssh:// dependency with key loaded by ssh-agent

[remss]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The npm install fails on a git+ssh:// dependency with a ssh-key loaded in ssh-agent on Windows 10 since npm 7.10.0.

Expected Behavior

The dependency should be installed correctly.

Steps To Reproduce

Start ssh-agent and add private key (using Win32-OpenSSH 8.1.0-beta installed with chocolatey)

> ssh-add -l
2048 SHA256:ed0dc338ade1bfdbaab1b5+0e5d29abd4cfd28f04c4 C:\Users\foo\Documents\private-openssh.key (RSA)
> $env:GIT_SSH
C:\Program Files\OpenSSH-Win64\ssh.exe

Install npm dependency from git+ssh:// url will fail

> npm install git+ssh://me@privatehost.com/repo#00ffe8a9e879ae7f52c066e4f4e1eed48cdbc0b4
command git --no-replace-objects ls-remote ssh://me@privatehost.com/repo
npm ERR! me@privatehost.com: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.
npm ERR!
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.

Note that If I run the failed git command in my terminal it works fine

> git --no-replace-objects ls-remote ssh://me@privatehost.com/repo
24df233b1ea977d06a1e49c5d78c30cc3c8d1b4a        HEAD
24df233b1ea977d06a1e49c5d78c30cc3c8d1b4a        refs/heads/master
129da3d3b133b210bc9c7f7525b647f49bf3675a        refs/tags/v0.0.1
cf8051e20551308966116df6568866fba8f81fd4        refs/tags/v0.1.0
...

The bug appeared since npm 7.10.0 and still fails on 7.13.0. It works fine on 7.9.0 and previous version, and fine also on npm 6.14.

If I unload my key from ssh-agent, and put my key in a .ssh\id_rsa the the npm install works fine.

Environment

• OS: Windows 10
• Node: 12.22.1
• npm: 7.13.0

[remss]

This issue still occurs in 8.1.0 release. Is there any news on this? This is annoying to be stuck on 7.9 version.

[ruyadorno]

Sounds like this could be related to npm/git#29 which is the major change that landed on @npmcli/git@2.0.8 which seems to be the relevant part that changed between 7.9.0 -> 7.10.0.

cc @nlf maybe you have some more context on how that change could have impacted here.

[remss]

The issue is still here in latest npm 8.19.2

[remss]

The issue is still there in latest npm 9.8.1. I'm sorry to insist @ruyadorno but it's been two years now, do you know if it will be resolved one day? I'm still stuck with 7.9 version 😥

[ruyadorno]

I'm sorry to hear @remss but I have not been on the npm team for more than an year now.

In a general direction you really should be looking forward to not be relying on git dependencies. The way that npm supports git deps has very subtle gotchas that are unknown for most users, like installing dev deps for git dependencies which run its lifecycle scripts even when the --ignore-scripts option is defined. A few more on the rationale to avoid git deps is explained in this RFC that wants to add an audit option to ensure only registry packages are being used (npm/rfcs#593).

---

do you know if it will be resolved one day?

Again, I'm not on the npm cli team anymore so I don't speak for them but given that this issue has not picked much interest from the community and is a low priority I doubt it's going to be resolved any time soon 😞 best alternative would be giving it a try yourself to try and patch the problem and submit a PR.