404 Errors cause by Lookups to registry.npmjs.org

[robg-temp]

Hello!

We are planning to use Renovate to only update internal libraries, which are hosted at:

https://package.acme.com/repository/npm-private

It is configured as a self-hosted (Docker) jenkins job that runs every 15 minutes that scans about GitHub 10 projects. We turned on automerging, but it isn't working because of "Artifact update problems", which I believe are caused by renovate looking for updates on the default npm registry:

Note that the versions are being updated correctly, which tells me that renovate is still finding the version info on our own private repo, but I would like to get rid of these 404 errors so that automerging works.

I added hostRules to disable our central configuration file to disable "registry.npmjs.org", but it doesn't seem to be working, as
the repos show that they were scanned with the new hostRules.

Here is the config file, which was provided by rarkins:

module.exports = {
  "baseBranches": (process.env.ACTIVE_BRANCHES + ",master").split(","),
  "onboardingConfig": {
    "extends": [ "config:base" ]
  },
  "platform": "github",
  "rangeStrategy": "bump",
  "separateMinorPatch": true,
  "packageRules": [
    {
       "description": "Disable all updates on all base branches to begin with",
       "matchPackagePatterns": ["*"],
       "enabled": false
    },
    {
      "description": "Enable @acme packages on master",
      "matchBaseBranches": ["master"],
      "matchPackagePatterns": ["^@acme"],
      "enabled": true
    },
    {
      "description": "Disable @acme major updates on master",
      "matchBaseBranches": ["master"],
      "matchPackagePatterns": ["^@acme"],
      "matchUpdateTypes": ["major"],
      "enabled": false
    },
    {
      "description": "Enable @acme/common-assets on sprint and release branches",
      "matchBaseBranches": process.env.ACTIVE_BRANCHES.split(","),
      "matchPackageNames": ["@acme/common-assets"],
      "enabled": true
    },
    {
      "description": "Disable @acme/common-assets minor and major updates on sprint and release branches",
      "matchBaseBranches": process.env.ACTIVE_BRANCHES.split(","),
      "matchPackageNames": ["@acme/common-assets"],
      "matchUpdateTypes": ["major", "minor"],
      "enabled": false
    },
    {
      "description": "automerge every PR",
      "matchPackagePatterns": ["*"],
      "automerge": true
    }
  ]
};

Thanks!!!

Rob G

[rarkins]

If you add "npmrc": "registry=https://package.acme.com/repository/npm-private" to your config then it should steer all requests to your internal registry. Try to solve that problem first.

Try to avoid packageRules with nested objects (minor, major).

[robg-temp]

Apparently the file looks something like:

email=...
always-auth=true
strict-ssl=true
registry=https://package.acme.com/repository/npm
_auth=...

I would say that the lookups are working because the versions are being updated, but there are also 404 errors. What I would like is for renovate to continue to fetch info from our private repo, while ignoring the default npm repo. Is that possible?

Rob

[robg-temp]

If you add "npmrc": "registry=https://package.acme.com/repository/npm-private" to your config then it should steer all requests to your internal registry. Try to solve that problem first.

Try to avoid packageRules with nested objects (minor, major).

I just noticed that I pasted in the wrong rules. I replaced them with those that you wrote for us!

[robg-temp]

I tried adding:

"hostRules": [
    {
      "hostName": "registry.npmjs.org",
      "enabled": false
    }
  ]

Interestingly, that also caused renovate to stop working.

Do you know why renovate doesn't raise any errors without access to the private repo?

[robg-temp]

I'm going to try setting the host in the config file just to see what happens...

[robg-temp]

I took out the line in the jenkinsfile that copies over the .npmrc file. That made renovate stop working. When I put it back, it worked again, albeit with the 404 errors.

This leads me to believe that it is using the .npmrc file, but it's also trying to lookup dependencies from the default npm repo.

In the log, it says that renovate had an Artifact update problem, but then it created the branch (with the correct version):

 INFO: Comment added (repository=Recognia/web-portfolio-dashboard, branch=renovate/Release-151-pin-dependencies)
       "issueNo": 90,
       "topic": "⚠️ Artifact update problem"
 INFO: Branch created (repository=Recognia/web-portfolio-dashboard, branch=renovate/master-pin-dependencies)
       "commitSha": "f5c7cb9"

[robg-temp]

I found out what the issue was. It was caused by the package-lock.json files having outdated references to "registry.npmjs.org". Even though I removed our internal dependencies, having any references to "registry.npmjs.org" would cause 404 errors for our own libraries. (???)
Not sure if this is expected behavior or a bug, but, updating ALL references in the package-lock.json file to our private repo OR deleting the package-lock.json file entirely got rid of the 404 errors.