Renovate: .npmrc too large for RSA key
This is a:
- [x] Bug report (non-security related)
- [ ] Feature request
- [ ] I'm not sure which of those it is
I'm using:
- [x] The Renovate GitHub App
- [ ] Self-hosted GitHub
- [ ] Self-hosted GitLab
- [ ] Self-hosted VSTS
Please describe the issue:
My .npmrc points to a private hosted registry (jfrog.io). When encrypting my .npmrc, the encrypt tool tells me that the resulting string is too large. Is there anything I can slim out, or is there another method I can use for encrypting my .npmrc? I know that I can commit the unencrypted file into my repo, but I don't want to force the configuration on all users if there's another option.
.npmrc
registry = <redacted>
_auth = <redacted>
always-auth = true
email = <redacted>
.npmrc file size (259 chars):
[~] cat .npmrc | wc
4 12 259
Error:
[~] npx renovate-encrypt < .npmrc
npx: installed 1 in 1.597s
(node:3713) UnhandledPromiseRejectionWarning: Error: error:040A006E:rsa routines:RSA_padding_add_PKCS1_OAEP_mgf1:data too large for key size
at Object.publicEncrypt (crypto.js:390:12)
at ReadStream.<anonymous> (/Users/jfairley/.npm/_npx/3713/lib/node_modules/renovate-encrypt/dist/renovate-encrypt.js:22:28)
at Generator.next (<anonymous>)
at step (/Users/jfairley/.npm/_npx/3713/lib/node_modules/renovate-encrypt/dist/renovate-encrypt.js:2:191)
at /Users/jfairley/.npm/_npx/3713/lib/node_modules/renovate-encrypt/dist/renovate-encrypt.js:2:437
at new Promise (<anonymous>)
at ReadStream.<anonymous> (/Users/jfairley/.npm/_npx/3713/lib/node_modules/renovate-encrypt/dist/renovate-encrypt.js:2:99)
at emitNone (events.js:111:20)
at ReadStream.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
(node:3713) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:3713) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
jfairley
All 9 comments
In search of alternatives... if I were to put an unencrypted version of .npmrc into renovate.json, I need help, because I don't know the differences in the file format.
The example in the documentation is:
{
"npmrc":
"//some.registry.com/:_authToken=abcdefghi-1234-jklmno-aac6-12345567889"
}
How does my .npmrc -- modeled after the jfrog.io docs -- map to this one-liner approach?
jfairley
on 4 Apr 2018
@jfairley if it's not supported already then it seems like we should be able to support multiline .npmrc in config simply with \n to break lines
rarkins
on 4 Apr 2018
@jfairley I'm a little confused by the jfrog example as it seems to leave off the registry itself, e.g. they show:
_auth = YWRtaW46e0RFU2VkZX1uOFRaaXh1Y0t3bHN4c2RCTVIwNjF3PT0=
email = [email protected]
always-auth = true
I think you could skip the always-auth and email fields for Renovate too - we don't use them. Therefore could you try using just the basic one-line approach to see if it works?
//some.registry.com/:_authToken=abcdefghi-1234-jklmno-aac6-12345567889
Feel free to drop into the Renovate gitter channel sometime to see if I'm online if you need help interactively. The Renovate App should run any time you modify the renovate.json, so you shouldn't need to wait long.
rarkins
on 5 Apr 2018
Thanks for the feedback @rarkins!
I updated my renovate.json to use \n within the "npmrc" value, and right now I'm waiting for the "pin dependencies" PR to reappear.
I'll report back here when I see it. If this doesn't work, I'll try your second suggestion.
jfairley
on 5 Apr 2018
@rarkins, using \n, I was able to get things working. Thank you for the tip.
{
"npmrc": "registry = https://<url>\n_auth = <auth>\nalways-auth = true\nemail = <user>@<company>.com"
}
I didn't try using the collapsed .npmrc you suggested inside the renovate.json, but I did try it in my local .npmrc file without success. Without having interest in debugging NPM, I'm going to assume it's JFrog that wants the file format to be a certain way.
Since I'm dealing with private repos, I'm not overly worried about further security at this time, so I'm going to move forward with the \n solution in my repos. However, I would love to see updated documentation or an update to renovate-encrypt to support larger .npmrc files. In the meantime, feel free to close or keep open this issue as you see fit.
jfairley
on 6 Apr 2018
@jfairley thanks for updating me and I'm glad it worked.
I will leave this issue open as I still think there is a need to one day support larger .npmrc files or some other alternative (e.g. unencrypted .npmrc with an encrypted npmToken that gets inserted). But I'll probably wait to see if anyone else actually has the problem before implementing.
rarkins
on 6 Apr 2018
Updating for future reference: we should have a way to encrypt the npm token only and then substitute it into a larger (unencrypted) .npmrc file. It should be possible already when self hosting using the exposeEnv setting
rarkins
on 18 Jun 2018
:tada: This issue has been resolved in version 13.17.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
renovate-bot
on 5 Jul 2018
hey, I'm also getting a console error when trying to encrypt only the JFrog access token.
Is there a solution for encrypting long access tokens?
peter-mouland
on 27 Oct 2019
Related issues
OmgImAlexis
路
4Comments
amilajack
路
3Comments
ChristianMurphy
路
4Comments
ptbrowne
路
3Comments
ikatyang
路
4Comments
Most helpful comment
hey, I'm also getting a console error when trying to encrypt only the JFrog access token.
Is there a solution for encrypting long access tokens?