Cannot authenticate to Github repo during the installation process

[ematipico]

When trying to install my packages using a private registry, pnpm goes in error.
I think I know what's going on.

Doing the same via npm works fine because it installs the dependencies that are not in scope from the npm registry and installs the scoped dependencies (the private ones) from the github registry. I could verifying it by checking its package-lock.json

On the other hand, pnpm tries to install ALL the dependencies from one single registry, which is github.

pnpm version: 5.9.3

Code to reproduce the issue:

Code inside .npmrc

registry=https://npm.pkg.github.com/{SCOPE}

I can't give the information of the log because it contains sensitive information.

Expected behavior:

It should install all the packages.

Actual behavior:

 ERROR  GET https://npm.pkg.github.com/{SCOPE}/bootstrap: Unauthorized - 401
No authorization header was set for the request.

These authorization settings were found:
//npm.pkg.github.com/:_authToken={TOKEN}

Additional information:

Changing .npmrc to the following works fine

{SCOPE}:registry=https://npm.pkg.github.com/{SCOPE}

[juanpicado]

I will triage this one.

[zkochan]

But this seems like the correct behavior. When you set the registry setting, it sets the registry for ALL packages. Maybe npm is falling back to the default registry if the one specified in the registry setting is failing?

[ematipico]

I agree with you that setting the registry for ALL the packages should lead to this behaviour (which is correct).

Although, as you said, npm falls back to the default registry which is not correct IMHO because it could lead to security issue. I am happy to close the issue but I think it's worth having a small paragraph inside the documentation where this behaviour is explained.

Yarn behaves in the same way.

[zkochan]

Maybe we could also add more information to the error message.

[ematipico]

Yes, that would help too I think! Maybe a suggestion to add the package scope in the registry key inside the .npmrc

[zkochan]

Are the GitHub registry docs suggesting to use the registry setting?

[juanpicado]

Yea it does

https://docs.github.com/en/free-pro-team@latest/packages/using-github-packages-with-your-projects-ecosystem/configuring-npm-for-use-with-github-packages

[zkochan]

That is bad. An edit should be suggested

[juanpicado]

@ematipico could you try with the npm@7.x? I guess you tried only with the latest.

[ematipico]

@juanpicado I have tried with npm 6 (can't recall which version). I will try with npm 7 once I get the chance and let you know how it behaves.

[statianzo]

Tested this out, it looks like https://npm.pkg.github.com/{OWNER}/lodash is deferring to registry.npmjs.org for unknown packages. It's not the npm cli falling back.

Notice the 200 when fetching lodash from npm.pkg.github.com and then the followup to registry.npmjs.org

npm info it worked if it ends with ok
npm verb cli [
npm verb cli   '/usr/local/bin/node',
npm verb cli   '/usr/local/bin/npm',
npm verb cli   'i',
npm verb cli   '--no-color',
npm verb cli   '-ddd',
npm verb cli   'lodash'
npm verb cli ]
npm info using npm@6.14.8
npm info using node@v12.18.4
npm verb npm-session e8be7194d641a4ef
npm sill install loadCurrentTree
npm sill install readLocalPackageData
npm http fetch GET 200 https://npm.pkg.github.com/statianzo/lodash 489ms
npm http fetch GET 200 https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz 150ms
npm sill pacote tag manifest for lodash@latest fetched in 655ms
npm timing stage:loadCurrentTree Completed in 674ms
npm sill install loadIdealTree
npm sill install cloneCurrentTreeToIdealTree
npm timing stage:loadIdealTree:cloneCurrentTree Completed in 1ms
npm sill install loadShrinkwrap
npm timing stage:loadIdealTree:loadShrinkwrap Completed in 0ms
npm sill install loadAllDepsIntoIdealTree
npm sill resolveWithNewModule lodash@4.17.20 checking installable status
npm timing stage:loadIdealTree:loadAllDepsIntoIdealTree Completed in 5ms
npm timing stage:loadIdealTree Completed in 7ms
npm sill currentTree regtest@1.0.0
npm sill idealTree regtest@1.0.0
npm sill idealTree └── lodash@4.17.20

...

Resulting json when making an authenticated request to https://npm.pkg.github.com/{OWNER}/lodash notice the tarball points to registry.npmjs.org

{
  "_id": "lodash",
  "_rev": "2544-0b122902f747bccd1e1b616357c0f55b",
  "name": "lodash",
  "description": "Lodash modular utilities.",
  "dist-tags": {
    "latest": "4.17.20"
  },
  "versions": {
    // ... snip
    "4.17.20": {
      // ... snip
      "dist": {
        "integrity": "sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA==",
        "shasum": "b44a9b6297bcb698f1c51a3545a2b3b368d59c52",
        "tarball": "https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz",
        "fileCount": 1049,
        "unpackedSize": 1406354,
        "npm-signature": "-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJfNXAiCRA9TVsSAnZWagAAtmYP/2G2ijVcDDyRacsKXn8Q\niX5zNGG+Od+xSuOXrMRG32hjB1giuXR2t8mlsJLQpFyQVgAexcr22J0oq0Kb\nUouNSYrjm6qfK/u5ZUg8lR/Q3L+QiaxsfNnS7FWCO4xqUB0FlI5rKtnq4zhH\nWpPscWw1S/0vV1tz9OvibtfiMDWw5m9AYHk7ckISHmiEMBWURWyDjStxVjmn\nIupfRuCjJdNoxdFyRMaXktbFaCqdMoaT00x5ImxTbIR2ZQdTQT7fA8l3FvvZ\nX/avXT8sqsY0gMCJqZGZITWI/6jIvoMLeE8IqPvAweX+rjHpTFbj9u+SjhNI\noLRY2Ya3bCCUM/T7ZeShMDOeNCyqaU4p3s5VWBQ7PG8FRUjtRdJXpmBf44B4\n6ew+lh2qK+P7FcIcJ4NDpo0/pek4keOpKmUyOYEsrXbnFKdXyzMxAztydu2U\nYR20ePPVsAh2dxwnTVW+jxoutB09gmM3YhgtuOEf16dSEsu47Tntd039li0A\nOSwvLK2jEiyyaeGh7nZSaNPr2Sgj5uq1DrOjR/eKOhY0nFUzdcDAjm8ocVSe\nncavD4t+VFnABdnog5Ub11luRNoOTBvIX+c/9DshlfRzGKIu6pq8SirU6P2j\n3y40bR5yzjhxVM/E2RsqAsPgSPl/1BLyO4+4MKIxhVTh259tWf3YxbWbuXo8\n5EAn\r\n=w2Gq\r\n-----END PGP SIGNATURE-----\r\n"
      },
      // ... snip
    }
  }
  // ... snip
}

Difference seems that pnpm isn't sending auth to the registry.

[statianzo]

Suspected reason for not sending auth: the resulting "nerf dart" made by pnpm is different than npm's because of a trailing slash.

pnpm uses the nerf-dart package. When the uri of the registry is passed it's https://npm.pkg.github.com/statianzo/

function toNerfDart (uri) {
  var parsed = url.parse(uri)
  delete parsed.protocol
  delete parsed.auth
  delete parsed.query
  delete parsed.search
  delete parsed.hash

  return url.resolve(url.format(parsed), '.')
}

---

npm (6) uses its own implementation within npm-registry-fetch

https://github.com/npm/npm-registry-fetch/blob/d8df0b193b34dad4627db52259322f0dbf9257d2/auth.js#L49-L57

The passed url is https://npm.pkg.github.com/statianzo

Notice no trailing slash. It matters when getting passed to url.resolve

url.resolve('https://npm.pkg.github.com/statianzo/', '.')
// 'https://npm.pkg.github.com/statianzo/'
url.resolve('https://npm.pkg.github.com/statianzo', '.')
// 'https://npm.pkg.github.com/'

---

The above is with this .npmrc (no trailing slash):

registry=https://npm.pkg.github.com/statianzo

[zkochan]

@statianzo @pnpm/config is normalizing the registry URLs and it is adding a trailing slash to them: https://github.com/pnpm/pnpm/blob/main/packages/config/src/getScopeRegistries.ts

[cybairfly]

Any progress on this please? Haven't been able to use pnpm because of this for a long time. My situation:
.npmrc

@apify-packages:registry=https://npm.pkg.github.com/apify-packages
//npm.pkg.github.com/:_authToken=<token>

pnpm i

 ERR_PNPM_FETCH_401  GET https://npm.pkg.github.com/apify-packages/@apify-packages%2Ffingerprint-injector: Unauthorized - 401

No authorization header was set for the request.

These authorization settings were found:
@apify-packages:registry=https://npm.pkg.github.com/apify-packages
//npm.pkg.github.com/:_authToken=72d4[hidden]
Progress: resolved 1, reused 0, downloaded 0, added 0

Any advice would be highly appreciated.

[marvin1up]

I have the identical issue, this does seem like a long time.
~/.npmrc

//npm.pkg.github.com/:_authToken=ghp_XXXXX
//npmjs.org=true
@1uphealth:registry=https://npm.pkg.github.com/1uphealth

then...

pnpm add @1uphealth/core-1upenv-script
 ERR_PNPM_FETCH_401  GET https://npm.pkg.github.com/1uphealth/@1uphealth%2Fcore-1upenv-script: Unauthorized - 401

No authorization header was set for the request.

These authorization settings were found:
//npm.pkg.github.com/:_authToken=ghp_[hidden]
@1uphealth:registry=https://npm.pkg.github.com/1uphealth

[damiensedgwick]

Getting a similar issue as above, pnpm won't install private package from GitHub repo despite fiddling with configs and .npmrc files

[stefanmo]

Any news?

Edit:
Okay, so right after I commented I was about to give up on pnpm but a took another look at npmrc and removed the owner from the github repo url and now pnpm import works for me 🎉
So I had

@owner:register=https://npm.pkg.github.com/owner

and now I have

@owner:register=https://npm.pkg.github.com

And this seems to work on my side.

[zkochan]

I am not sure why you all try to include the owner in the registry URL. The docs suggest to use:

@OWNER:registry=https://npm.pkg.github.com

Though this seems to work with npm, so I guess it should works with pnpm as well.

[damiensedgwick]

I am not sure why you all try to include the owner in the registry URL. The docs suggest to use:

@zkochan conflicting sources most likely. I can confirm your solution does not work when using pnpm on Amplify. It tries to install all packages from one repository and ignores any private ones that are in use.

[goldo]

+1
7.13.6 works and the 7.28.0 didnt work

[tlehtimaki]

I have the following .npmrc:

registry = https://company-artifactory-url.com/artifactory/api/npm/npm/
//company-artifactory-url.com/artifactory/api/npm/npm/:_authToken = ${ARTIFACTORY_TOKEN}

And til pnpm@7.13 it was working just fine.
I've upgraded to v7.14.1 and with the same .npmrc I started getting:

 ERR_PNPM_FETCH_401  GET https://company-artifactory-url.com:443/artifactory/api/npm/npm/@types/react-dom/-/react-dom-17.0.18.tgz: Unauthorized - 401

No authorization header was set for the request.

These authorization settings were found:
//company-artifactory-url.com/artifactory/api/npm/npm/:_authToken=eyJ2[hidden]

Downgrading to 7.13 worked well

I think this will work for you:

registry = https://company-artifactory-url.com/artifactory/api/npm/npm/
//company-artifactory-url.com/artifactory/api/npm/npm/:_authToken = ${ARTIFACTORY_TOKEN}
//company-artifactory-url.com:443/artifactory/api/npm/npm/:_authToken = ${ARTIFACTORY_TOKEN}

Duplicating the _authToken entry but including :443 in the second one. Keep both.

I found that duplicating _authToken_ line with port :443 worked for me, but I think its perhaps a separate issue.

I got into to the situation like this:

1. Init new project with pnpm
2. Install some packages from public npm regisry
3. Notice you now need stuff from private npm registry
4. Setup everything for that
5. Now try to install private package
6. It wont work. The tarball has :443 in the URL so I suspect that could have something to do with the error
7. Add the extra _authToken line to your .npmrc config.
8. Now install the private package.
9. Package is installed succesfully

I was using pnpm version 7.9.3 and 7.27.1 to test this.

[raulfdm]

Just complementing what @tlehtimaki said, on my team, we had problems with per project .npmrc. They still get those errors even if they add the _authToken.

The solution was by also adding the _authToken for port 443 in the root level .npmrc (for UNIX users it may be located at ~/.npmrc. Or check it here: https://pnpm.io/cli/config)

[goldo]

thanks @raulfdm it fixed it

[philippseith]

This didn't fix for me with an artifactory registry

[danielbayley]

@zkochan FYI I had this config in my global .npmrc:

//registry.npmjs.org:_authToken = ${NPM_TOKEN}
//npm.pkg.github.com:_authToken = ${GITHUB_TOKEN}
@${GITHUB_USER}:registry = https://npm.pkg.github.com

which works with npm install, but breaks pnpm install. The following changes fixed it:

//registry.npmjs.org:_authToken = ${NPM_TOKEN}
//npm.pkg.github.com/:_authToken = ${GITHUB_TOKEN}
@danielbayley:registry = https://npm.pkg.github.com

But I think pnpm should just work exactly like npm from the same configuration…

So, 2 issues it seems:

1. A trailing / is required before :_authToken=
2. Environment variables in keys aren’t working (${GITHUB_USER} in this case)

[viresh323]

Just complementing what @tlehtimaki said, on my team, we had problems with per project .npmrc. They still get those errors even if they add the _authToken.

The solution was by also adding the _authToken for port 443 in the root level .npmrc (for UNIX users it may be located at ~/.npmrc. Or check it here: https://pnpm.io/cli/config)

Thanks, I had same problem with the port.

[joostdelange]

Good news for CodeArtifact users, from AWS' side this problem has been solved. Quoting a CodeArtifact operation notification all customers who use it got:

You are receiving this notification because your account has recently downloaded an npm or NuGet package from an AWS CodeArtifact repository.

For npm and NuGet packages, CodeArtifact returns URLs in the HTTP response body for certain request types. For example, when the npm install command is run, the npm client will request metadata for each package it needs to install. This metadata contains CodeArtifact URLs that the client will request in order to complete the installation. The same pattern is also used by NuGet clients such as the NuGet CLI and dotnet CLI, and alternate npm clients such as Yarn and pnpm.

Currently these returned CodeArtifact URLs include the HTTPS port number (443) after the hostname, for example [1].

Starting March 27, 2023, CodeArtifact will no longer include the port number in returned URLs, for example [2].

This change will improve compatibility with the pnpm client and make the returned URLs consistent with those returned by the CodeArtifact GetRepositoryEndpoint API. No backward compatibility issues are expected for npm or NuGet clients as a result of the change as the URLs with and without the port number are functionally identical.

There is no impact to Maven and Python packages as these repository protocols do not include CodeArtifact URLs in any response.

If you have any questions or concerns, please reach out to AWS Support [3].

[1] https://domain-123456789012.d.codeartifact.us-west-2.amazonaws.com:443/npm/repo/lodash/-/lodash-4.17.21.tgz
[2] https://domain-123456789012.d.codeartifact.us-west-2.amazonaws.com/npm/repo/lodash/-/lodash-4.17.21.tgz
[3] https://aws.amazon.com/support

[adcorduneanu]

I want to add one extra scenario I encountered that does not make any sense to me - the URL is case-sensitive...

Config:

registry=http://xxx:8080/tfs/www_bu_mmm/_packaging/npmProductionFeed/npm/registry/
always-auth=true
shamefully-hoist=true
strict-ssl=false

; begin auth token
//xxx:8080/tfs/www_bu_mmm/_packaging/npmProductionFeed/npm/registry/:username=${WWW_NPM_USER}
//xxx:8080/tfs/www_bu_mmm/_packaging/npmProductionFeed/npm/registry/:_password=${WWW_NPM_TOKEN}
//xxx:8080/tfs/www_bu_mmm/_packaging/npmProductionFeed/npm/registry/:email=npm requires email to be set but doesn't use the value
//xxx:8080/tfs/www_bu_mmm/_packaging/npmProductionFeed/npm/:username=${WWW_NPM_USER}
//xxx:8080/tfs/www_bu_mmm/_packaging/npmProductionFeed/npm/:_password=${WWW_NPM_TOKEN}
//xxx:8080/tfs/www_bu_mmm/_packaging/npmProductionFeed/npm/:email=npm requires email to be set but doesn't use the value
; end auth token

Issue:

Packages: +851
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 ERR_PNPM_FETCH_401  GET http://xxx:8080/tfs/Www_BU_Mmm/_packaging/npmProductionFeed/npm/registry/@babel/core/-/core-7.20.12.tgz: Unauthorized - 401

No authorization header was set for the request.

These authorization settings were found:

[maximLyakhov]

Got this error within renovate bot job.
Solved by using npmrc property in config.js with the help of this thread:

module.exports = {
  npmrc: `
    @${process.env.COMPANY}:registry=https://gitlab.${process.env.DOMAIN}.com/api/v4/projects/{process.env.PROJECT_ID}/packages/npm/
    //gitlab.${process.env.DOMAIN}.com/api/v4/projects/${process.env.PROJECT_ID}/packages/npm/:_authToken = ${process.env.CI_NPM_TOKEN}
    //gitlab.${process.env.DOMAIN}.com:443/api/v4/projects/${process.env.PROJECT_ID}/packages/npm/:_authToken = ${process.env.CI_NPM_TOKEN}
  `
},

Thanks for everyone's input.

[nielsbrakel]

For everyone running into this issue in Azure Devops we solved it by including the following command in our pipeline, hopefully this is useful for someone 😊

  - task: npmAuthenticate@0
    inputs:
      workingFile: $(WorkingDirectory)/.npmrc

Source:
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/npm-authenticate-v0?view=azure-pipelines

[dtrongphuc]

In the case Gitlab Group Registry. This work well for me:

@scope:registry=https://gitlab.com/api/v4/groups/${GROUP_ID}/-/packages/npm/
//gitlab.com/api/v4/projects/${PROJECT_ID1}/:_authToken=${GROUP_TOKEN}
//gitlab.com/api/v4/projects/${PROJECT_ID2}/:_authToken=${GROUP_TOKEN}

[manawasp]

We got private package resolving issues too and the last valid version is 7.13.6.

Some context: we use a Gitlab instance on premise and our .npmrc look like:

//gitlab.domain.com/api/v4/packages/npm/:_authToken=AUTH_TOKEN
@team-software:registry=https://gitlab.domain.com/api/v4/packages/npm/

We try to install a library hosted on this gitlab registry: "@team-software/v-components": "0.0.96"

This configuration works with pnpm<=7.13.6 or npm but with pnpm 8.6.6 (and node 20.3.0) we get:

 WARN  GET https://gitlab.domain.com/api/v4/projects/17/packages/npm/@team-software/v-components/-/@team-software/v-components-0.0.96.tgz error (ERR_PNPM_FETCH_404). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://gitlab.domain.com/api/v4/projects/17/packages/npm/@team-software/v-components/-/@team-software/v-components-0.0.96.tgz error (ERR_PNPM_FETCH_404). Will retry in 1 minute. 1 retries left.
Packages are hard linked from the content-addressable store to the virtual store.
  Content-addressable store is at: /builds/.pnpm-store/v3
  Virtual store is at:             node_modules/.pnpm
 ERR_PNPM_FETCH_404  GET https://gitlab.domain.com/api/v4/projects/17/packages/npm/@team-software/v-components/-/@team-software/v-components-0.0.96.tgz: Not Found - 404
 No authorization header was set for the request.

I did some tests:

• I added //gitlab.domain.com/api/v4/projects/:_authToken=AUTH_TOKEN and this fixed the issue
• Then I removed //gitlab.domain.com/api/v4/packages/npm/:_authToken=AUTH_TOKEN this brings a new resolving issue. I guess no match between @team-software:registry=xxx and the xxx:_authToken=token
• I merged both line and used //gitlab.domain.com/api/v4/:_authToken=AUTH_TOKEN, this is working (but doesn't follow what gitlab recommend to use for npm).

Final:

My understanding is to resolve the package there is a first match on gitlab.domain.com/api/v4/packages/npm/ then a download issued on the url result gitlab.domain.com/api/v4/projects/. Before the header AUTH_TOKEN issued on the first match was forwarded on the "related download" even if there was an uri mismatch?

Just a guess without diving too much how things are working, if someone has more context about this 🙏

[slpixe]

@manawasp massive thanks for this, this has solved my issue of getting recent versions of pnpm to work with a private gitlab.com repository

The main line which got it working was appending
//gitlab.com/api/v4/:_authToken=AUTH_TOKEN

[MonstraG]

So, how does one install (not even trying publishing) in github actions now?

I'm on pnpm@8.7.0, and trying to use https://gist.github.com/belgattitude/838b2eba30c324f1f0033a797bab2e31, with added env:

    - name: Install dependencies
      shell: bash
      working-directory: ${{ inputs.cwd }}
      run: pnpm install --frozen-lockfile --prefer-offline
      env:
        NPM_TOKEN: ${{ github.token }}
        NPM_AUTH_TOKEN: ${{ github.token }}
        NODE_AUTH_TOKEN: ${{ github.token }}
        npm_config__authtoken: ${{ github.token }}
        npm_config_//npm.pkg.github.com:_authtoken: ${{ github.token }}

.npmrc:

resolution-mode=highest
strict-peer-dependencies=true
auto-install-peers=false
@my-cool-repo:registry=https://npm.pkg.github.com

I get:

ERR_PNPM_FETCH_401  GET https://npm.pkg.github.com/download/...: Unauthorized - 401
No authorization header was set for the request.
These authorization settings were found:
@lifekeys:registry=https://npm.pkg.github.com/
_authToken=ghs_[hidden]

I cannot add //npm.pkg.github.com/:_authToken=${GITHUB_TOKEN} because then I get WARN Issue while reading "/home/..../.npmrc". Failed to replace env in config: ${GITHUB_TOKEN} when installing locally, and that makes pnpm ignore auto-install-peers setting there.

I cannot downgrade pnpm to 7.13.6 in the action.yml because option to use lockfile v6 was added in 7.24.0

what do I do?

[SpeedySH]

We got private package resolving issues too and the last valid version is 7.13.6.

Some context: we use a Gitlab instance on premise and our .npmrc look like:

//gitlab.domain.com/api/v4/packages/npm/:_authToken=AUTH_TOKEN
@team-software:registry=https://gitlab.domain.com/api/v4/packages/npm/

We try to install a library hosted on this gitlab registry: "@team-software/v-components": "0.0.96"

This configuration works with pnpm<=7.13.6 or npm but with pnpm 8.6.6 (and node 20.3.0) we get:

 WARN  GET https://gitlab.domain.com/api/v4/projects/17/packages/npm/@team-software/v-components/-/@team-software/v-components-0.0.96.tgz error (ERR_PNPM_FETCH_404). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://gitlab.domain.com/api/v4/projects/17/packages/npm/@team-software/v-components/-/@team-software/v-components-0.0.96.tgz error (ERR_PNPM_FETCH_404). Will retry in 1 minute. 1 retries left.
Packages are hard linked from the content-addressable store to the virtual store.
  Content-addressable store is at: /builds/.pnpm-store/v3
  Virtual store is at:             node_modules/.pnpm
 ERR_PNPM_FETCH_404  GET https://gitlab.domain.com/api/v4/projects/17/packages/npm/@team-software/v-components/-/@team-software/v-components-0.0.96.tgz: Not Found - 404
 No authorization header was set for the request.

I did some tests:

• I added //gitlab.domain.com/api/v4/projects/:_authToken=AUTH_TOKEN and this fixed the issue
• Then I removed //gitlab.domain.com/api/v4/packages/npm/:_authToken=AUTH_TOKEN this brings a new resolving issue. I guess no match between @team-software:registry=xxx and the xxx:_authToken=token
• I merged both line and used //gitlab.domain.com/api/v4/:_authToken=AUTH_TOKEN, this is working (but doesn't follow what gitlab recommend to use for npm).

Final:

My understanding is to resolve the package there is a first match on gitlab.domain.com/api/v4/packages/npm/ then a download issued on the url result gitlab.domain.com/api/v4/projects/. Before the header AUTH_TOKEN issued on the first match was forwarded on the "related download" even if there was an uri mismatch?

Just a guess without diving too much how things are working, if someone has more context about this 🙏

You saved me. I spent 3 hours to find this answer and it really works.

[ekashida]

It sounds like this is a known issue and is described at length here:
https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22

[weyert]

Try adding the one with the project id in your config, e.g.

gitlab.domain.com/api/v4/projects/17/packages/npm/:_authToken=AUTH_TOKEN

For me adding all these urls for each package solved all these issues. Sure, I have 20+ urls in my .npmrc file but no problems :)

I think i saw that my ticket at Gitlab recently got updated/resolved so might want to try in last months/this month Gitlab release or on gitlab.com. https://gitlab.com/gitlab-org/gitlab/-/issues/334897

[tlehtimaki]

It sounds like this is a known issue and is described at length here: https://github.com/npm/cli/wiki/%22No-auth-for-URI,-but-auth-present-for-scoped-registry%22

Would be interesting to hear more widely if the npm related issue has helped people with this issue too.

[novo-esdb]

Have anyone had similar issues trying to access a Azure DevOps artifact feed?

I am getting issues similar to this:

 ERR_PNPM_FETCH_401  GET https://pkgs.dev.azure.com/<org>/_packaging/<project>/npm/registry/@<org-alias><project>: Unauthorized - 401

An authorization header was used: Bearer ejVh[hidden]

These authorization settings were found:
//pkgs.dev.azure.com/<org>/_packaging/<project>/npm/:_authToken=ejVh[hidden]
//pkgs.dev.azure.com/<org>/_packaging/<project>/npm/registry/:_authToken=ejVh[hidden]
@<org-alias>:registry=https://pkgs.dev.azure.com/<org>/_packaging/<project>/npm/registry/

where my local .npmrc has the authentication settings shown above.

[rishavanand]

thanks @danielbayley with pnpm

adding a slash worked

before

//npm.pkg.github.com:_authToken=***

after

//npm.pkg.github.com/:_authToken=***

[zkochan]

A PR has been submitted that should hopefully fix this: #7337

[bilalafzal01]

I just had to configure pnpm as well (with pnpm config set) rather than just having .npmrc

github workflow:

name: Publish artifacts
jobs:
  deploy:
    name: Deploy CDK
    runs-on: ubuntu-latest
    env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    permissions:
        packages: read
        contents: read
    steps:
        - uses: pnpm/action-setup@v2
           with:
             version: 8.9.0
              
        - name: Configure PNPM
          run: pnpm config set '//npm.pkg.github.com/:_authToken' "${GITHUB_TOKEN}"
  
        - name: Install dependencies
          run: cd frontend && pnpm install

.npmrc:

@NAMESPACE:registry=https://npm.pkg.github.com

[revskill10]

Same issue.

[aiell0]

I was using this in a docker container, and was getting 401 errors even with the token set correctly. The package in question was hosted in a private github organization. I had to add the following to my ~/.npmrc file:

RUN echo "registry=https://npm.pkg.github.com/<organization_name>" >> ~/.npmrc