Hyper: Cannot Install Plugins/Themes with CLI

We're using a rebuilt version of yarn to install plugins.

I don't think there's enough demand for such a setting that it would be worth adding and maintaining.

There is a workaround:

1. Add plugin to ~/.hyper.js
2. Open terminal and cd ~/.hyper_plugins/
3. Install via your low security npm npm install
4. Plugins should work

Hope that helps 👍

Also sounds like your school is intercepting your traffic via a custom SSL cert, I would try everything to get around that, they are decrypting your traffic and can get all your passwords and everything you send on the webs.....

I'm not sure there's anything we can do to help in case of your school intercepting traffic 🤔
Feel free to re-open or comment if I'm wrong

Have you a specific .npmrc?

I'm getting this error even when I'm tethered to my phone's hotspot. I'm guessing that it's not related to the firewall, any recommendations for me to troubleshoot? I didn't see any errors in the network tab or console of the developer tools. Cheers!

Edit: @chabou 's comment was my issue for the error original issue's error message. I was using a custom .npmrc. Removing it (or renaming) fixes the issue. It looks like https://github.com/zeit/hyper/issues/2799 might cover the underlying issue.

Same here!
We either need the option to add custom CA's or to disable the ssl check

I don't think we should do that, it opens up for nasty vulnerabilities, code execution with root permissions etc. There are better workarounds like VPN.

Sure disabling is not a good idea. Introducing the functionality to add a custom CA would be the preferred way.
However, how does a VPN solves the problem?
I assume most people using hyper are devs or other IT guys working in a Company with a certain policy which are most likely neither allowed to build a vpn outside the company network, nor wiling to do such an affort for a "plugin"

VPN is widely used in China, we use it in the company to bypass GFW. Or we just can't open GitHub. You can build one your self.

I too get this error while trying to install plugins at work. It works without issue at home, just not when going through our corporate firewall. I have attempted to go into the ~/.hyper_plugins directory and doing npm install, but I do not have npm installed, nor do I have a need for it on a regular basis. Is there a .npmrc file that hyper users where I could disable the Certificate Check as per an issue on npm that I've seen but don't currently have in front of me?

Edit: It might be worth adding that my Operating System trusts the certificate that hyper (and npm and VS Code, and a lot of other tools) has an issue with. It would be really good if these tools started looking to the built in security mechanisms of the Operating Systems to determine if they trust something or not.

Why wouldn't you just honor strict-ssl=false in the .npmrc?

That's a huge security risk @sskoopa, it's super easy to man in the middle without correct SSL and your computer can easily get infected with malicious code.

Curious if any progress has been made on this. It seems that Hyper doesn't honor the NODE_EXTRA_CA_CERTS environment variable if it's set. We use a proxy at work and I had to set that environment variable with the path to the cert used by the proxy. Then npm will trust that cert and allow downloads. I can npm install plugins in the plugin directory, but Hyper can't update/install plugins itself.

I've been doing some work with getting git to work with OpenSSL instead of SChannel and recognizing.

In that case, there is a cert bundle that it uses to determine what's valid for signing. I cannot find one for Hyper. Can anyone point me to where Hyper is looking for certificates so that I can look at the possibility of injecting our CA into the cert bundle?

I have found that around line 65135 of https://github.com/zeit/hyper/blob/canary/bin/yarn-standalone.js it talks about the ca file, but I can't for the life of me figure out where it's getting it from, or how to specify my own file.

I share the same problem than the others have. I'm behind a corporate web-proxy. Well SSL interception is also in place but the corporate root CAs where in the certificate store.

I have npm installed and set the necessary http_proxy/https_proxy/no_proxy config entries. As well as added the same entries to the environment variables and my windows default proxy settings are also set. npm, git and many others are performing very well with this settings. Only hyper is fully ignoring all kind of proxy settings. @albinekb respecting system proxy settings isn't a security flaw, requesting to download and place suspicous things in the ~/.hyper_plugins/.

After reading this and other issues I believe hyper is not targeting serious IT professionals. I guess they promote a fancy terminal app to scriptkiddis. I see no other reason for that kind of ignorance over month/years. In addition I have to assume, that their cloud products also targets hobbyist an not serious professional customers.

For all the others cmder on Windows is a great terminal alternative.

While I disagree with the tone of @dannyyy's comment, I understand the point they are trying to make.

@albinekb I agree that strict-ssl=false is a security risk. At the same time, advocating that users try to bypass their school/corporate firewall is a non-starter for most. There should be a way (preferences setting?) to set a cafile path that the yarn-standalone will use as a trusted ca so that users can CHOOSE to trust their corporate proxy ca. That way you can still maintain SSL, install plugins, and not lose your job/get expelled. This approach works very well (it's how I use npm at work currently).

@jerquiaga
I'm sorry for my tone, but the issue doesn't start at choosing other trusted CAs. From my perspective it starts by configuring a web proxy at all!

One thing that should be noted is that Hyper itself has no problem checking for and installing updates to the main application behind a corporate SSL decrypting firewall. It's just the installation of plugins that fails spectacularly.

If I'm behind an institutional firewall that is reading my passwords and I've already installed the trusted CA, hyper is not going to protect me by refusing to install plugins. I'd have given up control of security well before getting to this point. I'm not sure what real harm this is trying to protect me from.

I'm having the same issue. I am behind an HTTP proxy requiring authentication and a custom CA. NPM and yarn work absolutely fine with the proper environment variables set.

What if there was just a way to configure Hyper to use the natively installed npm or yarn to install plugins. That way, if I need to, I can tell it to use npm or yarn from the system, instead of its builtin one. The system-installed npm and yarn are already working so if Hyper just executes either one of those to install the plugins, it should be fine, right?

I just realized that you can use the localPlugins config to get around this problem:

  // in development, you can create a directory under
  // `~/.hyper_plugins/local/` and include it here
  // to load it and avoid it being `npm install`ed
  localPlugins: [
    'hyper-material-theme',
    'hyper-tabs-enhanced'
  ],

Just clone the plugins to ~/.hyper_plugins/local/ and run npm install inside of each plugin. This is the best workaround I've found so far and it isn't that much of an inconvenience for me. Might still be nice to have a more built-in config setup, but not a big deal with this workaround.

sadly not much we can do here, we also have a ton of other issues about the CLI so closing this one

Hey Folks,
if it helps ... Hyper uses npm to update/build plugins. So set the proxy configuration for npm helped me to update plugins ... it took a while to work ... maybe because of build process . (on hyper shell) do ...

npm config set https-proxy http://myproxy:3128
npm config set proxy http://myproxy:3128

to get your proxy (on windows) try
netsh winhttp show proxy

So it won´t work with the install command itself hyper i <plugin>, but if you enter the the name into the plugin-array within hyper-config and save it ... it installed it for me :)

When i tried to install plugins, using : hyper i <plugin>, it showed : 'zsh: hyper is not a command', can someone please help?