Why support of legacy auth was dropped?

[Tri0L]

Hello.

I see that legacy auth was dropped few releases before. (51ab3c8)
Why?

Is there another way to use legacy auth? We use nexus, and authToken not supported yet.

[travi]

#538 (comment) captures most of the reasoning behind the decision. nexus continuing to support only legacy auth is new information and their current documentation appears to confirm, but is likely not enough to cause us to reverse our decision.

personally, using a registry that continues to require the use of a password would make me question its approach to authorization since it prevents the ability to reduce the level of access granted when leaked. i understand that recommending a registry switch is not a small task, but i would at least consider this a variable to consider when weighing continued use into the future. short of that, the best i can suggest is to continue use of the previous major version of the npm plugin, which has been stable for some time. however, we have no plans to continue maintenance of that version.

[tehshin]

I respect your decision but it is not always possible to switch out the registry within a company because it is used for other repositories besides npm and used by multiple departments.

I just want to simply add a workaround I implemented for our GitLab CI that doesn't require any changes in the plugin:

Based on the documentation we generate the base64 encoded string and store it in a Variable (Repository Settings > CI/CD)

In the pipeline configuration we update the npm config before executing semantic-release:

publish:
  script:
    - npm config set //nexus.url/repository/npm-private/:_auth=$NPM_TOKEN
    # not sure if this is needed, but to be safe we remove the token so the plugin doesn't pick it up
    - unset NPM_TOKEN
    - npx semantic-release

The way I understand it, the plugin will pick up the existing //nexus.url/repository/npm-private/:_auth config and skip appending the token itself.

I hope this helpful for some poor soul. :)