Private dependencies are not updated #21693
Replies: 20 comments
-
@mhlz Can you please try a npm hostRule instead of an encrypted npmrc config? @rarkins looks like the same issue we have with yarn, can't find it right now. 🤔 |
Beta Was this translation helpful? Give feedback.
-
@viceice I'm happy to try that, but I can't find how I would encrypt the token with the hostRule approach? |
Beta Was this translation helpful? Give feedback.
-
Just add an encrypted section with the encrypted token property to the hostRule. |
Beta Was this translation helpful? Give feedback.
-
This seems to run into a similar problem: renovate.json: {
"extends": ["github>homefully/renovate", ":pinVersions"],
"hostRules": [
{
"domainName": "npm.pkg.github.com",
"encrypted": {
"token": "***encrypted***"
}
}
]
} Logs:
Although it does seem to be using the github registry now. It also finds the pending update and displays it in the dependency dashboard again. |
Beta Was this translation helpful? Give feedback.
-
https://docs.renovatebot.com/configuration-options/#hosttype Try Did you encoded the token before encryption? |
Beta Was this translation helpful? Give feedback.
-
renovate.json: {
"extends": ["github>homefully/renovate", ":pinVersions"],
"hostRules": [
{
"domainName": "npm.pkg.github.com",
"hostType": "npm",
"encrypted": {
"token": "***encrypted***"
}
}
]
} Results in the same error as above. The token was not encoded before encryption. |
Beta Was this translation helpful? Give feedback.
-
Ok, looks like our written npmrc is somehow wrong. We need to debug this further. Sorry. |
Beta Was this translation helpful? Give feedback.
-
Perhaps too risky to dump a copy of the |
Beta Was this translation helpful? Give feedback.
-
I think we can sanitize the npmrc with some simple regexes. I think we need something like:
So sanitize values after equal sign, or parse as ini and sanitize values where key ending with those auth tokens. |
Beta Was this translation helpful? Give feedback.
-
Maybe we can leave the first and last two chars readable, so the owner can check them |
Beta Was this translation helpful? Give feedback.
-
I think auth can be part way through the line too, so need to remove the |
Beta Was this translation helpful? Give feedback.
-
Ah, yes. Can be start of line or should have a |
Beta Was this translation helpful? Give feedback.
-
some news: I 'm currently debugging an auth issue with yarn and found, that the configured |
Beta Was this translation helpful? Give feedback.
-
also the hostrule for yarn to work needs an ending slash, so for me the following works (using verdaccio) {
"baseUrl": "https://npm.domain.org/",
"hostType": "npm",
"token": "***"
} |
Beta Was this translation helpful? Give feedback.
-
also renovate/lib/manager/npm/post-update/index.ts Lines 442 to 454 in 5d99ff9 |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
some more interesting stuff, github registry mirror packages are redirecting to npm registry
wondered why npm lockfile points to npm registry here: https://github.com/viceice/renovate-gh-npm-test/tree/master/npm |
Beta Was this translation helpful? Give feedback.
-
I'm having similar troubles with private packages - specifically on github packages. Able to get it to find the right registry and authenticate as far as I can tell. It doesn't error, It just doesn't seem to pick up any updates. {
"autodiscover": false,
"hostRules": [{
"hostName": "npm.pkg.github.com",
"hostType": "npm",
"token": "<REDACTED>"
}],
"gitAuthor": "Renovate Bot <bot@logdna.com>",
"ignoreNpmrcFile": "true",
"npmrc": "@answerbook:registry=https://npm.pkg.github.com/\n//npm.pkg.github.com/:_authToken=",
"token": "<REDACTED>"
} I can see in the log that its finding the registry, pulling down the depedencies correctly, but no updates. // DEBUG: packageFiles with updates
{
"config": {
"npm": [
{
"packageFile": "package.json",
"deps": [
{
"depType": "dependencies",
"depName": "@answerbook/stdlib",
"currentValue": "^1.2.0",
"datasource": "npm",
"prettyDepType": "dependency",
"depIndex": 0,
"updates": [], // empty, but has updates
"warnings": [],
"sourceUrl": "https://github.com/answerbook/stdlib-node"
},
{
"depType": "dependencies",
"depName": "chevrotain",
"currentValue": "^7.0.3",
"datasource": "npm",
"prettyDepType": "dependency",
"depIndex": 1,
"updates": [
{
"currentVersion": "7.1.2",
"newVersion": "8.0.1",
"newValue": "^8.0.0",
"bucket": "major",
"newMajor": 8,
"newMinor": 0,
"updateType": "major",
"isSingleVersion": false,
"isRange": true,
"releaseTimestamp": "2021-02-28T14:45:57.576Z",
"skippedOverVersions": [
"8.0.0"
],
"branchName": "renovate/chevrotain-8.x"
}
],
"warnings": [],
"sourceUrl": "https://github.com/Chevrotain/chevrotain",
"homepage": "https://chevrotain.io/docs/"
}
],
"packageJsonName": "@answerbook/logdna-test-setup-chain",
"packageFileVersion": "5.0.4",
"packageJsonType": "library",
"skipInstalls": true,
"constraints": {}
}
]
}
} Am I missing something simple here? |
Beta Was this translation helpful? Give feedback.
-
@esatterwhite please start q&a discussion instead |
Beta Was this translation helpful? Give feedback.
-
What Renovate type, platform and version are you using?
We're on Github, using the hosted version
Describe the bug
Private dependencies hosted on Github's npm registry are not updated. We are using an encrypted npmrc that configures a prefix in npm to use the github package registry and also includes the authentication token. This seems to work, because renovate does see that updates are available, but then fails to actually update the lockfile. As far as I can tell from the logs it looks like renovate runs a docker image to update the package-lock.json file, but it's not including the .npmrc, which means it fails to find our private dependencies, which then causes the update to fail. Using the same (unencrypted of course) npmrc locally works fine to update dependencies and lockfiles.
Our repositories do already include a .npmrc file which just points the
@homefully
prefix to the Github package registry. From the log outputs below, it seems like this .npmrc file is also ignored. I would expect the encrypted .npmrc file to be used everywhere.Relevant debug logs
To Reproduce
Because this bug affects private repositories only, I can't really provide access to these repositories, but they are absolutely minimal examples. They include the following files:
.npmrc in repo
.npmrc in renovate.json/encrypted/npmrc
renovate.json
and the necessary package.json and lockfiles so that homefully/renovate-bug-p2 depends on an outdated version of homefully/renovate-bug-p1. If needed I can provide tarballs of the repositories with the encrypted stuff removed.
Additional context
The renovate.json config extends the one we have in https://github.com/homefully/renovate. This might contain settings that are relevant to reproduce the bug.
Beta Was this translation helpful? Give feedback.
All reactions