Private dependencies are not updated

[mhlz]

What Renovate type, platform and version are you using?

We're on Github, using the hosted version

Describe the bug

Private dependencies hosted on Github's npm registry are not updated. We are using an encrypted npmrc that configures a prefix in npm to use the github package registry and also includes the authentication token. This seems to work, because renovate does see that updates are available, but then fails to actually update the lockfile. As far as I can tell from the logs it looks like renovate runs a docker image to update the package-lock.json file, but it's not including the .npmrc, which means it fails to find our private dependencies, which then causes the update to fail. Using the same (unencrypted of course) npmrc locally works fine to update dependencies and lockfiles.

Our repositories do already include a .npmrc file which just points the @homefully prefix to the Github package registry. From the log outputs below, it seems like this .npmrc file is also ignored. I would expect the encrypted .npmrc file to be used everywhere.

Relevant debug logs

DEBUG: Updating lock file only(branch="renovate/homefully")
DEBUG: No node constraint found - using latest(branch="renovate/homefully")
DEBUG: Using docker to execute(branch="renovate/homefully")
DEBUG: No tag or tagConstraint specified(branch="renovate/homefully")
{
  "image": "docker.io/renovate/node"
}
DEBUG: Docker image is already prefetched: docker.io/renovate/node(branch="renovate/homefully")
DEBUG: Executing command(branch="renovate/homefully")
{
  "command": "docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/homefully/renovate-bug-p2\":\"/mnt/renovate/gh/homefully/renovate-bug-p2\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/homefully/renovate-bug-p2\" docker.io/renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\""
}
DEBUG: lock file error(branch="renovate/homefully")
{
  "err": {
    "killed": false,
    "code": 1,
    "signal": null,
    "cmd": "docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/homefully/renovate-bug-p2\":\"/mnt/renovate/gh/homefully/renovate-bug-p2\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/homefully/renovate-bug-p2\" docker.io/renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\"",
    "stdout": "/home/ubuntu/.npm-global/bin/npm -> /home/ubuntu/.npm-global/lib/node_modules/npm/bin/npm-cli.js\n/home/ubuntu/.npm-global/bin/npx -> /home/ubuntu/.npm-global/lib/node_modules/npm/bin/npx-cli.js\n+ npm@6.14.8\nadded 434 packages from 885 contributors in 24.523s\n",
    "stderr": "npm ERR! code E404\nnpm ERR! 404 Not Found - GET https://**redacted**@homefully%2frenovate-bug-p1 - Not found\nnpm ERR! 404 \nnpm ERR! 404  '@homefully/renovate-bug-p1@1.0.5' is not in the npm registry.\nnpm ERR! 404 You should bug the author to publish it (or use the name yourself!)\nnpm ERR! 404 It was specified as a dependency of 'renovate-bug-p2'\nnpm ERR! 404 \nnpm ERR! 404 Note that you can also install from a\nnpm ERR! 404 tarball, folder, http url, or git url.\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate-cache/others/npm/_logs/2020-09-23T07_45_46_409Z-debug.log\n",
    "message": "Command failed: docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/homefully/renovate-bug-p2\":\"/mnt/renovate/gh/homefully/renovate-bug-p2\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/homefully/renovate-bug-p2\" docker.io/renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\"\nnpm ERR! code E404\nnpm ERR! 404 Not Found - GET https://**redacted**@homefully%2frenovate-bug-p1 - Not found\nnpm ERR! 404 \nnpm ERR! 404  '@homefully/renovate-bug-p1@1.0.5' is not in the npm registry.\nnpm ERR! 404 You should bug the author to publish it (or use the name yourself!)\nnpm ERR! 404 It was specified as a dependency of 'renovate-bug-p2'\nnpm ERR! 404 \nnpm ERR! 404 Note that you can also install from a\nnpm ERR! 404 tarball, folder, http url, or git url.\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate-cache/others/npm/_logs/2020-09-23T07_45_46_409Z-debug.log\n",
    "stack": "Error: Command failed: docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/homefully/renovate-bug-p2\":\"/mnt/renovate/gh/homefully/renovate-bug-p2\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/homefully/renovate-bug-p2\" docker.io/renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\"\nnpm ERR! code E404\nnpm ERR! 404 Not Found - GET https://**redacted**@homefully%2frenovate-bug-p1 - Not found\nnpm ERR! 404 \nnpm ERR! 404  '@homefully/renovate-bug-p1@1.0.5' is not in the npm registry.\nnpm ERR! 404 You should bug the author to publish it (or use the name yourself!)\nnpm ERR! 404 It was specified as a dependency of 'renovate-bug-p2'\nnpm ERR! 404 \nnpm ERR! 404 Note that you can also install from a\nnpm ERR! 404 tarball, folder, http url, or git url.\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate-cache/others/npm/_logs/2020-09-23T07_45_46_409Z-debug.log\n\n    at ChildProcess.exithandler (child_process.js:303:12)\n    at ChildProcess.emit (events.js:311:20)\n    at ChildProcess.EventEmitter.emit (domain.js:482:12)\n    at maybeClose (internal/child_process.js:1021:16)\n    at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)"
  },
  "type": "npm"
}
DEBUG: No updated lock files in branch(branch="renovate/homefully")
DEBUG: Branch timestamp: 2020-09-23T07:33:51.000Z(branch="renovate/homefully")
DEBUG: PR is less than a day old - raise error instead of PR(branch="renovate/homefully")
DEBUG: Passing lockfile-error up(branch="renovate/homefully")
INFO: Lock file error - aborting

To Reproduce

Because this bug affects private repositories only, I can't really provide access to these repositories, but they are absolutely minimal examples. They include the following files:

.npmrc in repo

@homefully:registry=https://npm.pkg.github.com/

.npmrc in renovate.json/encrypted/npmrc

//npm.pkg.github.com/:_authToken=GITHUB_AUTH_TOKEN\n@homefully:registry=https://npm.pkg.github.com/\n

renovate.json

{
  "extends": ["github>homefully/renovate", ":pinVersions"],
  "encrypted": {
    "npmrc": "***encrypted stuff***"
  }
}

and the necessary package.json and lockfiles so that homefully/renovate-bug-p2 depends on an outdated version of homefully/renovate-bug-p1. If needed I can provide tarballs of the repositories with the encrypted stuff removed.

Additional context

The renovate.json config extends the one we have in https://github.com/homefully/renovate. This might contain settings that are relevant to reproduce the bug.

[viceice]

@mhlz Can you please try a npm hostRule instead of an encrypted npmrc config?

@rarkins looks like the same issue we have with yarn, can't find it right now. 🤔

[mhlz]

@viceice I'm happy to try that, but I can't find how I would encrypt the token with the hostRule approach?

[viceice]

Just add an encrypted section with the encrypted token property to the hostRule.

[mhlz]

This seems to run into a similar problem:

renovate.json:

{
  "extends": ["github>homefully/renovate", ":pinVersions"],
  "hostRules": [
    {
      "domainName": "npm.pkg.github.com",
      "encrypted": {
        "token": "***encrypted***"
      }
    }
  ]
}

Logs:

DEBUG: Generating package-lock.json for .(branch="renovate/homefully")
DEBUG: Spawning npm install to create /mnt/renovate/gh/homefully/renovate-bug-p2/package-lock.json(branch="renovate/homefully")
DEBUG: Updating lock file only(branch="renovate/homefully")
DEBUG: No node constraint found - using latest(branch="renovate/homefully")
DEBUG: Using docker to execute(branch="renovate/homefully")
DEBUG: No tag or tagConstraint specified(branch="renovate/homefully")
{
  "image": "docker.io/renovate/node"
}
DEBUG: Docker image is already prefetched: docker.io/renovate/node(branch="renovate/homefully")
DEBUG: Executing command(branch="renovate/homefully")
{
  "command": "docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/homefully/renovate-bug-p2\":\"/mnt/renovate/gh/homefully/renovate-bug-p2\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/homefully/renovate-bug-p2\" docker.io/renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\""
}
DEBUG: lock file error(branch="renovate/homefully")
{
  "err": {
    "killed": false,
    "code": 1,
    "signal": null,
    "cmd": "docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/homefully/renovate-bug-p2\":\"/mnt/renovate/gh/homefully/renovate-bug-p2\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/homefully/renovate-bug-p2\" docker.io/renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\"",
    "stdout": "/home/ubuntu/.npm-global/bin/npm -> /home/ubuntu/.npm-global/lib/node_modules/npm/bin/npm-cli.js\n/home/ubuntu/.npm-global/bin/npx -> /home/ubuntu/.npm-global/lib/node_modules/npm/bin/npx-cli.js\n+ npm@6.14.8\nadded 434 packages from 885 contributors in 27.979s\n",
    "stderr": "npm ERR! code E401\nnpm ERR! Unable to authenticate, need: Basic realm=\"GitHub Package Registry\"\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate-cache/others/npm/_logs/2020-09-23T09_36_54_964Z-debug.log\n",
    "message": "Command failed: docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/homefully/renovate-bug-p2\":\"/mnt/renovate/gh/homefully/renovate-bug-p2\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/homefully/renovate-bug-p2\" docker.io/renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\"\nnpm ERR! code E401\nnpm ERR! Unable to authenticate, need: Basic realm=\"GitHub Package Registry\"\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate-cache/others/npm/_logs/2020-09-23T09_36_54_964Z-debug.log\n",
    "stack": "Error: Command failed: docker run --rm --name=renovate_node --label=renovate_child -v \"/mnt/renovate/gh/homefully/renovate-bug-p2\":\"/mnt/renovate/gh/homefully/renovate-bug-p2\" -v \"/tmp/renovate-cache\":\"/tmp/renovate-cache\" -v \"/home/ubuntu/.npmrc\":\"/home/ubuntu/.npmrc\" -e NPM_CONFIG_CACHE -e npm_config_store -w \"/mnt/renovate/gh/homefully/renovate-bug-p2\" docker.io/renovate/node bash -l -c \"npm i -g npm && npm install --package-lock-only --ignore-scripts --no-audit\"\nnpm ERR! code E401\nnpm ERR! Unable to authenticate, need: Basic realm=\"GitHub Package Registry\"\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate-cache/others/npm/_logs/2020-09-23T09_36_54_964Z-debug.log\n\n    at ChildProcess.exithandler (child_process.js:303:12)\n    at ChildProcess.emit (events.js:311:20)\n    at ChildProcess.EventEmitter.emit (domain.js:482:12)\n    at maybeClose (internal/child_process.js:1021:16)\n    at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)"
  },
  "type": "npm"
}
DEBUG: No updated lock files in branch(branch="renovate/homefully")
DEBUG: Branch timestamp: 2020-09-23T07:33:51.000Z(branch="renovate/homefully")
DEBUG: PR is less than a day old - raise error instead of PR(branch="renovate/homefully")
DEBUG: Passing lockfile-error up(branch="renovate/homefully")
INFO: Lock file error - aborting

Although it does seem to be using the github registry now.

It also finds the pending update and displays it in the dependency dashboard again.

[viceice]

https://docs.renovatebot.com/configuration-options/#hosttype

Try hostType=npm for the rule.

Did you encoded the token before encryption?
You need to encrypt the bare github token.

[mhlz]

renovate.json:

{
  "extends": ["github>homefully/renovate", ":pinVersions"],
  "hostRules": [
    {
      "domainName": "npm.pkg.github.com",
      "hostType": "npm",
      "encrypted": {
        "token": "***encrypted***"
      }
    }
  ]
}

Results in the same error as above. The token was not encoded before encryption.

[viceice]

Ok, looks like our written npmrc is somehow wrong.

We need to debug this further. Sorry.

[rarkins]

Perhaps too risky to dump a copy of the .npmrc as it could contain a secret we don't know about? Unless we add custom sanitizing to it before logging it as a string

[viceice]

I think we can sanitize the npmrc with some simple regexes.

I think we need something like:

• ^_auth=
• ^_authToken=
• ^_password=

So sanitize values after equal sign, or parse as ini and sanitize values where key ending with those auth tokens.

[viceice]

Maybe we can leave the first and last two chars readable, so the owner can check them

[rarkins]

I think auth can be part way through the line too, so need to remove the ^

[viceice]

Ah, yes. Can be start of line or should have a : prefix for registry scope.

[viceice]

some news:

I 'm currently debugging an auth issue with yarn and found, that the configured npmrc get overwritten by the .npmrc file in repo on package extraction phase. so renovate won't use the configuration until ignoreNpmrc=true is also configured.

[viceice]

also the hostrule for yarn to work needs an ending slash, so for me the following works (using verdaccio)

  {
      "baseUrl": "https://npm.domain.org/",
      "hostType": "npm",
      "token": "***"
    }

[viceice]

also domainName doesn't work, you need to use hostName or baseUrl instead

renovate/lib/manager/npm/post-update/index.ts

Lines 442 to 454 in 5d99ff9

	if (hostRule.token) {
	if (hostRule.baseUrl) {
	additionalNpmrcContent.push(
	`${hostRule.baseUrl}:_authToken=${hostRule.token}`
	.replace('https://', '//')
	.replace('http://', '//')
	);
	} else if (hostRule.hostName) {
	additionalNpmrcContent.push(
	`//${hostRule.hostName}/:_authToken=${hostRule.token}`
	);
	}
	}

[viceice]

hostType: 'npm', is required too.

[viceice]

some more interesting stuff, github registry mirror packages are redirecting to npm registry

npm sill extract is-buffer@1.1.0
npm sill tarball trying is-buffer@1.1.0 by hash: sha1-NveFDA0HenGwQfNWVmQVXwcDW9A=
npm sill tarball no local data for is-buffer@1.1.0. Extracting by manifest.
npm http fetch POST 404 https://npm.pkg.github.com/viceice/-/npm/v1/security/audits/quick 170ms
npm http fetch GET 200 https://npm.pkg.github.com/viceice/is-buffer 263ms
npm http fetch GET 200 https://registry.npmjs.org/is-buffer/-/is-buffer-1.1.0.tgz 126ms
npm sill extract is-buffer@1.1.0 extracted to /app/node_modules/.staging/is-buffer-8ce5275f (412ms)
npm timing action:extract Completed in 416ms

wondered why npm lockfile points to npm registry here: https://github.com/viceice/renovate-gh-npm-test/tree/master/npm

[viceice]

yarnpkg/yarn#4451

[esatterwhite]

I'm having similar troubles with private packages - specifically on github packages. Able to get it to find the right registry and authenticate as far as I can tell. It doesn't error, It just doesn't seem to pick up any updates.

{
  "autodiscover": false,
  "hostRules": [{
    "hostName": "npm.pkg.github.com",
    "hostType": "npm",
    "token": "<REDACTED>"
  }],
  "gitAuthor": "Renovate Bot <bot@logdna.com>",
  "ignoreNpmrcFile": "true",
  "npmrc": "@answerbook:registry=https://npm.pkg.github.com/\n//npm.pkg.github.com/:_authToken=",
  "token": "<REDACTED>"
}

I can see in the log that its finding the registry, pulling down the depedencies correctly, but no updates.

// DEBUG: packageFiles with updates
{
  "config": {
    "npm": [
      {
        "packageFile": "package.json",
        "deps": [
          {
            "depType": "dependencies",
            "depName": "@answerbook/stdlib",
            "currentValue": "^1.2.0",
            "datasource": "npm",
            "prettyDepType": "dependency",
            "depIndex": 0,
            "updates": [], // empty, but has updates
            "warnings": [],
            "sourceUrl": "https://github.com/answerbook/stdlib-node"
          },
          {
            "depType": "dependencies",
            "depName": "chevrotain",
            "currentValue": "^7.0.3",
            "datasource": "npm",
            "prettyDepType": "dependency",
            "depIndex": 1,
            "updates": [
              {
                "currentVersion": "7.1.2",
                "newVersion": "8.0.1",
                "newValue": "^8.0.0",
                "bucket": "major",
                "newMajor": 8,
                "newMinor": 0,
                "updateType": "major",
                "isSingleVersion": false,
                "isRange": true,
                "releaseTimestamp": "2021-02-28T14:45:57.576Z",
                "skippedOverVersions": [
                  "8.0.0"
                ],
                "branchName": "renovate/chevrotain-8.x"
              }
            ],
            "warnings": [],
            "sourceUrl": "https://github.com/Chevrotain/chevrotain",
            "homepage": "https://chevrotain.io/docs/"
          }
        ],
        "packageJsonName": "@answerbook/logdna-test-setup-chain",
        "packageFileVersion": "5.0.4",
        "packageJsonType": "library",
        "skipInstalls": true,
        "constraints": {}
      }
    ]
  }
}

Am I missing something simple here?

[rarkins]

@esatterwhite please start q&a discussion instead