Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] publish with workspaces doesn't respect access controls #7199

Open
1 task done
tschaub opened this issue Feb 3, 2024 · 2 comments
Open
1 task done

[BUG] publish with workspaces doesn't respect access controls #7199

tschaub opened this issue Feb 3, 2024 · 2 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x

Comments

@tschaub
Copy link

tschaub commented Feb 3, 2024
edited

Is there an existing issue for this?

It looks like this is the same issue as #3268, although the error I'm getting is different, and it appears that the fix in 4a4fbe3 is specific to the error.

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

I am trying to use workspaces where a number of the packages should not be published (they have "private": true in their package.json). I would like to run a single command that publishes all of the non-private packages. I was hoping this would work:

npm publish --workspaces

When I try this, I get this error:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to https://registry.npmjs.org/
npm ERR! need auth You need to authorize this machine using `npm adduser`

I found #3268 and was hoping that #3285 might have addressed the issue, but it that fix was specific to the EPRIVATE error code. In this case I am seeing ENEEDAUTH.

Expected Behavior

I was hoping that npm publish --workspaces could be used to publish all workspace packages except those that have "private": true in their package.json.

Steps To Reproduce

  1. create a package with two workspaces, one named do-not-publish and one named @example/package
  2. in the package.json for the do-not-publish package, add "private": true
  3. run npm logout && npm login --registry=https://npm.pkg.github.com --scope=@example
  4. run npm publish --workspaces
  5. See npm ERR! code ENEEDAUTH

It looks like the ENEEDAUTH error is thrown for the do-not-publish package even though it includes "private": true. I assume this only happens when the user is not already authenticated with the default registry. In my case, it is occurring in a CI job where an auth-token is only provided for a non-default registry (where the scoped packages are published).

Environment

  • npm: 10.2.4
  • Node.js: 21.5.0
@tschaub tschaub added Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x labels Feb 3, 2024
tschaub referenced this issue Feb 3, 2024
@ruyadorno @wraithgar
fix(publish): skip private workspaces
4a4fbe3 
Allow users to publish all workspaces with `npm publish --ws` while also
skipping any workspace that might have been intentionally marked as
private, using `"private": true` in its package.json file.

Fixes: #3268

PR-URL: #3285
Credit: @ruyadorno
Close: #3285
Reviewed-by: @wraithgar
@chehsunliu
Copy link

I just got this error today. I then renamed the workspace do-not-publish to @example/do-not-publish as a workaround. npm should first determine whether to publish, rather than authentication.

@tschaub
Copy link
Author

tschaub commented Apr 9, 2024

@chehsunliu - I arrived at the same workaround (giving everything the same scope). And I agree that it feels like npm should first determine what needs to be published and then only authenticate with registries for which there are packages to publish.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tschaub @chehsunliu