Do you want to request a feature or report a bug?
BUG
What is the current behavior?
Yarn does not honor .npmrc
If the current behavior is a bug, please provide the steps to reproduce.
We require authentication for one of our repositories and we used to do this by specifying the authentication in .npmrc. This worked up to 0.28.4 but broke in 1.0.0
What is the expected behavior?
Honoring the authentication settings in .npmrc
Please mention your node.js, yarn and operating system version.
It happens after upgrading yarn to 1.0.0/1.0.1 (have tried both versions). Regardless of OS and nodejs version.
This should be fixed in 1.0.2 which was released yesterday. Can you give it a spin?
@BYK I am experiencing the same issues as above and as mentioned at the end of #4157 . I tried running 1.0.2
and failed with 404
. Running on 0.27.5
works as expected.
Could you paste your npmrc file here so we could try to reproduce (obviously edit out secrets or other private info)
@KidkArolis while trying to get my working dir as clean as possible, it somehow fixed the issue? ๐
Steps I took:
yarn.lock
and any yarn-error.log
filesnode_modules/
brew link yarn
and yarn --version
to ensure I was at 1.0.2
yarn
That seems to have worked. I am going to chalk this up as a user error on mine and my team's end.
@beardedtim What about if you now blow away node_modules
but keep yarn.lock
and then run yarn install
? Does it all work then? This is in part what #4157 tracks but may be related to the larger issue at hand?
I am experiencing this issue (404 on private scoped repo, whichever registry I use) for yarn versions 1.0.1, and 1.0.2. Version 0.27.5 worked after clearing some artifacts.
I have tried all the workarounds discussed in https://github.com/yarnpkg/yarn/issues/4157. Happy to post logs if it will help.
@stieg I will try that later today when I get a free moment around lunch and post results. I believe I still got the 404 error but I've tried so many things at this point, who knows!
Has anyone found a solution to this?
FWIW: I tried with:
node_modules
~/.yarn
curl -o- -L https://yarnpkg.com/install.sh | bash
to reinstall yarn 1.0.2yarn install
- _no errors_, it installed everything flawlessly.My ~/.yarnrc
:
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
registry "https://registry.npmjs.org"
email [email protected]
lastUpdateCheck 1505977814820
username some-user
````
And my `~/.npmrc`:
//registry.npmjs.org/:_authToken=a-valid-uuid
The `yarn.lock` references look like this in my particular case:
resolved "https://registry.npmjs.org/@acme/some-module/-/some-module-0.1.1.tgz#valid-git-sha"
```
Interesting. After putting the registry in my .yarnrc
file, I was able to install my packages. However, I removed it to check if that was the culprit, and it still was successful (I deleted my cache so Yarn had to download it, and it managed to do so correctly).
I tried on a fresh install (Debian this time, the other was macOS) and having these settings in ~/.npmrc
and ~/.yarnrc
worked equally well there. (Note: I did not try npm login
or yarn login
.)
Closing as people reporting this was resolved. Reopen with concrete reproduction steps if it is not resolved for you @carlosduclos please.
@BYK I had the same problem.
I used the clean install of the latest yarn version.
And it starts working after I added registry "https://registry.npmjs.org"
to ~/.yarnrc
.
I think it's a bug and it should be solved automatically, not manually, as we did.
@BYK It may help to note that everyone who has "reported as resolved" has used the workaround of forcing yarn to use the https://registry.npmjs.org registry.
I think there is still a problem retrieving private packages from the https://registry.yarnpkg.com registry, however, and this is the default registry used by yarn (is it still just a reverse proxy? perhaps it's not honouring auth headers?).
.npmrc
and .yarnrc
files so yarn is using the default config.npm login
or yarn login
to populate the auth token.0.27.5
, try to install this package.Package installs successfully.
โค @up โ REPO git:(master) โ
yarn add @SCOPE/PACKAGE
yarn add v1.1.0
info No lockfile found.
[1/5] Validating package.json...
[2/5] Resolving packages...
error An unexpected error occurred: "https://registry.npmjs.org/@SCOPE%2fPACKAGE: Not found".
info If you think this is a bug, please open a bug report with the information provided in "/home/katy/dev/REPO/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.
If project maintainers find @kmoe's instructions to be reproducible, this ticket should be reopened (at least for the sake of existing subscribers).
I agree with @kmoe, the underlying issue is not fixed even in recent versions of yarn. Please reopen the issue. Yes, we have a workaround, but workaround != solution in this case.
FWIW, this is still a problem in 1.1.0. I just verified it (came back here for the workaround, namely registry "https://registry.npmjs.org"
being added to ~/.yarnrc
)
I am having this problem in yarn 1.3.2 and it is breaking our builds right now. It worked fine on yarn 0.27.5.
We require an auth token from the .npmrc
file to install packages from our Artifactory private registry.
Reproduction steps:
.npmrc
file with authentication info in it like:registry=https://artifactory.mycompany.com/artifactory/api/npm/npm-virtual
_auth = myAuthTokenHere
always-auth = true
email = [email protected]
yarn install
error An unexpected error occurred: "https://artifactory.mycompany.com/api/npm/npm-virtual/@angular/compiler/-/compiler-4.3.1.tgz: Request failed \"401 Unauthorized\"".
Related: #4672
@stewx I'm also having the same problem on 1.3.2. Did you find a fix or a way around it?
@jamesone Nope, I downgraded to something like 0.27. It's a deal-breaker for our project.
@stewx @jamesone
Add registry "https://registry.npmjs.org"
in your .yarnrc and reinstall the private packages
It will tell yarn to work directly with npmjs registry and it will solve the issue
It feels so wrong to version lock at 0.27.5 just to circumvent this one issue, but it seems like many are doing just that _or_ redirecting registry
config (although @stewx is reporting that does not solve for self-hosted private registries).
If frequent project contributors don't have time to fix this in the short term, would somebody be willing to suggest codebase location(s) where a fix is most likely to succeed, in the hopes that a community PR will be opened? ๐ค
/cc @kittens @bestander @BYK @arcanis @rally25rs @kaylieEB
@Bnaya When you say reinstall, do you mean remove node_modules
in your project or clear yarn cache?
yarn remove yourprivatepackage; yarn add yourprivatepackage
And in the lock file you will see https://registry.npmjs.org/***
url and not https://registry.yarnpkg ***
I would suggest adding the .yarnrc next to your package.json
I actually made it work by putting registry "https://registry.npmjs.org"
in ~/.yarnrc
, i.e. no need for a package local .yarnrc
.
Steps to reproduce error for me:
~/.yarnrc
If I modify ~/.yarnrc
as mentioned above the steps do not create an error.
If I look at some of my project where there are failures I see that yarn.lock
contains https://registry.yarnpkg.com/@myscope/mypackage/
. In order to make these projects work I need to remove yarn.lock
and regenerate it, after having made the update to ./.yarnrc
.
This seems to explain why some people still have errors even when they try something that works for others.
registry "https://registry.npmjs.org"
to ~/.yarnrcyarn.lock
for failing projects@TheLudd Regenerating yarn.lock from scratch defeats its purpose.
Instead, project maintainers may want to consider search/replace from yarnpkg.com
to npmjs.org
, preserving their current lock file state.
@awkaiser Well, as long as your tests pass you can commit it and all other collaborators will have the same environment as you. So not really defeating its purpose IMO.
But yes you can also search replace.
But the rule is also that you should not modify yarn.lock manually ;)
If it was always safe to pull the absolute latest packages that satisfy our package.json requirements, we wouldn't have a need for lockfiles at all. ๐
Normally, yes, we shouldn't modify yarn.lock by hand but this, being a bug, supports an exception to that rule. Updating the registry location reference with a search and replace should be straightforward and safe. ๐ป
I didn't need to regenerate my whole lock file.
Just to remove and install the private packages
@awkaiser or anyone else on the thread - one way you can help is by creating a reproducable example. E.g. base it off this repo https://github.com/KidkArolis/yarn-scopes-issue. If you can produce a repo where running yarn
fails (specific registry response, specific yarn config, specific package.json etc.) - I could then definitely have a look at fixing the issue.
Generally:
.yarnrc
file.yarnrc
to contain registry "https://registry.npmjs.org"
registry.npmjs.org
should workcustom.registry.org
should work@KidkArolis the failures are random. but they are there.
As i wrote on a another related issue: its or an issue with the yarn registry(maybe caching failures, bad Vary header on the proxy, what ever, ), or complex edge case inside yarn that happens only with yarn registry.
Is what @kmoe wrote on Sep 25, 2017 insufficient? ๐ค
It prompted reopening of this issue, implying reproduction by contributor(s).
@KidkArolis I am not sure how I can create a reproducible example in a repository since this regards private modules and is thus dependent on who runs yarn, right? But my steps to reproduce the error is here https://github.com/yarnpkg/yarn/issues/4451#issuecomment-355248563 and what @kmoe wrote is also sufficient.
When I try to install a private package without modifying .yarnrc
the error I get starts with
An unexpected error occurred: "https://registry.yarnpkg.com
This implies that it looks in the yarn registry and not npm. Is that not the error causing this bug?
Ok, thanks for resurfacing those reproduction steps. Iโll try and have a look.
For whatever reason, adding this explicit location to .npmrc for where to find my private packages made the 404 error stop happening on all repos in which this was causing a problem.
@npm-username:registry=https://registry.yarnpkg.com/
Does anyone have a private npm package they could add me to? Username: kidkarolis
.
I'm struggling to get a paid account, their Billing/Account system doesn't seem to be working for me atm (I get 402 Payment Required
even though they charged me :-"). So while I wait for npm's support, if someone adds me to a private package (if that's even possible), that would speed things up.
Ok, I think it was just .. eventual consistency, my private npm account works now.
However, I can't reproduce the issue yet :(
I followed the steps provided by @kmoe:
rm ~/.yarnrc && rm ~/.npmrc
yarn cache clean && npm cache clean --force
npm login
yarn add @scope/pkg
It installs fine (and doesn't if I don't npm login
). In other words - works as expected for me.
And judging by the yarn.lock, my install goes through https://registry.yarnpkg.com
and seems to uses auth as expected. Could it be that there was an issue on the server in the past, but is now resolved?
Ok, I think reproduced something.
If I add @qubit:registry=https://registry.npmjs.org/
to .npmrc
- the install no longer works.
I think that line is added if you login with npm login --scope=@qubit
and it isn't added if you login with just npm login
. Will see how to fix this next.
@KidkArolis other common way of setting that config would be:
Opened a PR - #5162 feedback (or even QA) welcome.
@KidkArolis Thanks for the PR. But I think the problem lies not only in the "--scope" case, but in a more general case where a private repo also mirrors public packages with auth.
By the way, @bytheway875, your trick of using https://registry.yarnpkg.com/
as the registry worked for me.
My situation:
yarn
from an org (@org-name) on npmjs.com using an authToken
in local .npmrc
file during a CI build (GitLab), so not logged into npm
.npm
npm login
and yarn
just works OR I can be logged out of npm but manually create a local / HOME dir .npmrc
file with a single line: //registry.npmjs.org/:_authToken=token
and yarn
just works (that second method _might_ be working cause of local cache, didn't try wiping that).yarnrc
trick from above didn't work_The only way I can get this to work is by creating the below local .npmrc
file before running yarn install
in CI:_
@org-name:registry=https://registry.yarnpkg.com/
always-auth=true
_authToken=token
I had similar issue with .npmrc
file. All I had to do is set encoding of .npmrc
file to ANSI (in Windows you can use notepad.exe>Save As...).
You can test how yarn sees your .npmrc
file content by using yarn config list
I can't get this to work with v1.4.1
. I have a private Nexus repo and I use it as cache / proxy (like this). I can't seem to find definitive instructions, so it's possible I'm doing something wrong. I grabbed the yarn config
syntax here and the yarn login
syntax here.
Edit: I should have mentioned I've tried logging in via NPM first to get the needed .npmrc
before trying with yarn
.
Below is exactly what I'm doing to test.
git tag --contains dc705768
v1.4.0
v1.4.1
Create a Dockerfile to give a consistent, baseline environment for testing.
# Build
# docker build -t yarn-private-registry-test .
# Run
# docker run -it --rm yarn-private-registry-test
FROM debian:9.3-slim
WORKDIR /projects
RUN apt-get update \
&& apt-get --yes install curl gnupg \
&& curl -sL https://deb.nodesource.com/setup_8.x | bash - \
&& apt-get install --yes nodejs \
&& curl -OL https://github.com/yarnpkg/yarn/releases/download/v1.4.1/yarn_1.4.1_all.deb \
&& find . -name yarn*.deb -exec dpkg --install {} \; \
&& find . -name yarn*.deb -exec rm {} \;
docker build -t yarn-private-registry-test .
Hint: Keep exiting and restarting the Docker container to get a clean environment.
Make sure the environment works by initialize a project and adding a dependency without making any config changes.
docker run -it --rm yarn-private-registry-test
Add left-pad
dependency.
mkdir yarn \
&& cd yarn \
&& yarn init --yes \
&& yarn add left-pad
yarn init v1.4.1
warning The yes flag has been set [...snip...]
success Saved package.json
Done in 0.03s.
yarn add v1.4.1
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
โโ [email protected]
Done in 0.52s.
docker run -it --rm yarn-private-registry-test
mkdir yarn \
&& cd yarn \
&& yarn init --yes \
&& yarn config set registry https://example.com/repository/npm-group/ \
&& yarn login
yarn init v1.4.1
warning The yes flag has been set [...snip...]
success Saved package.json
Done in 0.03s.
yarn config v1.4.1
success Set "registry" to "https://example.com/repository/npm-group/".
Done in 0.04s.
yarn login v1.4.1
question npm username: myusername
question npm email: [email protected]
Done in 6.25s.
Add left-pad
dependency.
yarn --verbose add left-pad
yarn add v1.4.1
verbose 0.349 Checking for configuration file "/projects/yarn/.npmrc".
verbose 0.35 Checking for configuration file "/usr/local/share/.npmrc".
verbose 0.35 Checking for configuration file "/usr/etc/npmrc".
verbose 0.352 Checking for configuration file "/root/.npmrc".
verbose 0.353 Checking for configuration file "/projects/yarn/.npmrc".
verbose 0.353 Checking for configuration file "/projects/.npmrc".
verbose 0.355 Checking for configuration file "/projects/yarn/.yarnrc".
verbose 0.355 Checking for configuration file "/usr/local/share/.yarnrc".
verbose 0.357 Found configuration file "/usr/local/share/.yarnrc".
verbose 0.358 Checking for configuration file "/usr/etc/yarnrc".
verbose 0.358 Checking for configuration file "/root/.yarnrc".
verbose 0.359 Checking for configuration file "/projects/yarn/.yarnrc".
verbose 0.359 Checking for configuration file "/projects/.yarnrc".
verbose 0.365 current time: 2018-01-25T21:55:48.886Z
info No lockfile found.
verbose 0.405 Performing "GET" request to "https://yarnpkg.com/latest-version".
[1/4] Resolving packages...
verbose 0.48 Performing "GET" request to "https://example.com/repository/npm-group/left-pad".
verbose 0.52 Request "https://example.com/repository/npm-group/left-pad" finished with status code 401.
verbose 0.522 Error: Couldn't find package "left-pad" on the "npm" registry.
at new MessageError (/usr/share/yarn/lib/cli.js:186:110)
at NpmResolver.<anonymous> (/usr/share/yarn/lib/cli.js:50354:15)
at Generator.next (<anonymous>)
at step (/usr/share/yarn/lib/cli.js:98:30)
at /usr/share/yarn/lib/cli.js:109:13
at <anonymous>
at process._tickCallback (internal/process/next_tick.js:188:7)
error An unexpected error occurred: "Couldn't find package \"left-pad\" on the \"npm\" registry.".
info If you think this is a bug, please open a bug report with the information provided in "/projects/yarn/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.
verbose 0.809 Request "https://yarnpkg.com/latest-version" finished with status code 200.
.yarnrc
cat /usr/local/share/.yarnrc
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
registry "https://example.com/repository/npm-group/"
email [email protected]
lastUpdateCheck 1516917349331
username myusername
Skip straight to the desired config because it works.
docker run -it --rm yarn-private-registry-test
mkdir npm \
&& cd npm \
&& npm init --yes \
&& npm config set registry https://example.com/repository/npm-group/ \
&& npm login
Wrote to /projects/npm/package.json:
{
"name": "npm",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
Username: myusername
Password:
Email: (this IS public) [email protected]
Logged in as myusername on https://example.com/repository/npm-group/.
Add left-pad
dependency.
npm --verbose install left-pad
npm info it worked if it ends with ok
npm verb cli [ '/usr/bin/node',
npm verb cli '/usr/bin/npm',
npm verb cli '--verbose',
npm verb cli 'install',
npm verb cli 'left-pad' ]
npm info using [email protected]
npm info using [email protected]
npm verb npm-session 0ed36c84804378c8
npm http fetch GET 200 https://example.com/repository/npm-group/left-pad 78ms
npm http fetch GET 200 https://example.com/repository/npm-group/left-pad/-/left-pad-1.2.0.tgz 28ms
npm verb correctMkdir /root/.npm/_locks correctMkdir not in flight; initializing
npm verb makeDirectory /root/.npm/_locks creation not in flight; initializing
npm verb lock using /root/.npm/_locks/staging-2f9f45630e5bbb1a.lock for /projects/npm/node_modules/.staging
npm info lifecycle [email protected]~preinstall: [email protected]
npm info linkStuff [email protected]
npm verb linkBins [email protected]
npm verb linkMans [email protected]
npm info lifecycle [email protected]~install: [email protected]
npm info lifecycle [email protected]~postinstall: [email protected]
npm verb unlock done using /root/.npm/_locks/staging-2f9f45630e5bbb1a.lock for /projects/npm/node_modules/.staging
npm verb saving [ { name: 'left-pad', spec: '^1.2.0', save: 'dependencies' } ]
npm info lifecycle undefined~preshrinkwrap: undefined
npm info lifecycle undefined~shrinkwrap: undefined
npm notice created a lockfile as package-lock.json. You should commit this file.
npm info lifecycle undefined~postshrinkwrap: undefined
npm WARN [email protected] No description
npm WARN [email protected] No repository field.
+ [email protected]
added 1 package in 0.398s
npm verb exit [ 0, true ]
npm info
@ryanjaeb Thanks for the detailed report. The one thing I'm missing in order to tell you what might be going wrong here is the contents of ~/.npmrc
and ~/.yarnrc
files. You did paste your .yarnrc
, but it doesn't contain password. Also without .npmrc
file for comparison, it's hard to pin point the issue.
Your use case should work fine in ^1.4.0, but it's all about how the config file looks.
Tbh with you, I never use yarn login
, I first npm login
and then use yarn
. In your above example, if you first do npm set config registry ... && npm login
and then run add left-pad
- does it work? If npm works, so should yarn. So I'm wondering if the yarn login
command is what's broken.
@KidkArolis By ignoring yarn login
and expecting to be able to get it working with only npm login
, I was able to make some progress. I'm seeing two things.
.npmrc
The docs for npm-login don't seem to match what I'm actually seeing in .npmrc
. Specifically, the --always-auth arg for the npm login
command has no impact on the config, even though the docs say:
Can be used with --registry and / or --scope, e.g.
...
Registry-specific configuration of always-auth takes precedence over any global configuration.
However, regardless of whether or not I use that argument, I always end up with the same .npmrc
. Both:
npm config set registry https://example.com/repository/npm-group/ \
&& npm login --registry=https://example.com/repository/npm-group/
and
npm config set registry https://example.com/repository/npm-group/ \
&& npm login --registry=https://example.com/repository/npm-group/ --always-auth
produce this .npmrc
:
registry=https://example.com/repository/npm-group/
//example.com/repository/npm-group/:_authToken=NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Sniffing the traffic going to my registry shows that NPM sends the auth token regardless:
GET /repository/npm-group/left-pad HTTP/1.1
Host: example.com
user-agent: npm/5.6.0 node/v8.9.4 linux x64
npm-in-ci: false
npm-scope:
npm-session: c4c14c0b37be7bd5
referer: install left-pad
pacote-req-type: packument
pacote-pkg-id: registry:manifest
accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*
authorization: Bearer NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
accept-encoding: gzip,deflate
X-Forwarded-Proto: https
X-Forwarded-For: 10.10.10.1
X-Forwarded-Host: example.com
X-Forwarded-Server: example.com
Connection: Keep-Alive
Yarn does not send the token unless always-auth
is set. Explicitly setting the always-auth
flag in .npmrc
gets everything working as expected.
npm config set always-auth true \
&& cat ~/.npmrc
registry=https://example.com/repository/npm-group/
//example.com/repository/npm-group/:_authToken=NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
always-auth=true
Beyond knowing the behavior between NPM and Yarn differs, I'm not familiar enough with either to know which behavior is correct.
yarn login
I think you might be right about yarn login
not working, but I haven't tested it extensively. Ignoring .npmrc
and using only yarn
, I try to mimic the NPM config.
yarn config set registry https://example.com/repository/npm-group/ \
&& yarn config set always-auth true \
&& yarn login
.yarnrc
:
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
registry "https://example.com/repository/npm-group/"
always-auth true
email [email protected]
lastUpdateCheck 1517883362958
username myusername
No matter what I do, I'm never prompted to enter my password.
@KidkArolis For me npm works without explicit always-auth=true
in .npmrc and yarn (1.3.2 or 1.4.0) doesn't. In my case I'm trying to point all requests to the virtual registry in artifactory. With always-auth=true
and authToken
in .npmrc โย it works in 1.3.2
, so not clear what was exactly fixed in 1.4.0
.
This still seems to be an issue, specifically hooking up to our Nexus repo.
I've tried several approaches:
~/.yarnrc
completely and relying only on what is in ~/.npmrc
.~/.yarnrc
.It seems that yarn is not using the hashed _auth
value (e.g. _auth=xyz
) from ~/.npmrc
NPM
npm --version
5.6.0
Yarn
yarn --version
1.5.1
Running on OS X 10.13.2.
My ~/.npmrc
looks like this (some setting _values_ omitted for obvious reasons):
registry=http://nexus-repo:8081/content/repositories/npm-all
init.author.name=Juan Smith
[email protected]
init.author.url=http://nexus-repo:8081/content/repositories/npm/
[email protected]
_auth=BASE64-HASH-USERNAME-PASSWORD
always-auth=true
My ~/.yarnrc
looks like this (again obvious values omitted):
registry "http://nexus-repo:8081/content/repositories/npm-all//"
email [email protected]
lastUpdateCheck 1521495247797
username jsmith
Not really sure where to go from here. It's not entirely clear what is going on, other than all yarn builds fail in the following fashion:
error An unexpected error occurred: "http://nexus-repo:8081/content/groups/npm-all/lru-cache/-/lru-cache-4.1.2.tgz: Request failed \"401 Unauthorized\"".
FWIW, IANADOE (I Am Not A Dev Ops Engineer) and am just trying to utilize a package that leans on yarn for electron builds. This could just be me not knowing how to set the base64
username|password hash for yarn. I have not been able to find docs explaining that.
@ezweave Sonatype has really good documentation. That link also has instructions for testing to make sure you're doing the base64 encoding correctly. Personally I find it easiest to enable the npm Bearer Token Realm in Nexus and to use npm login
on my workstation. Ex:
npm config set registry http://nexus-repo:8081/content/repositories/npm-all
npm login --registry=http://nexus-repo:8081/content/repositories/npm-all --always-auth
npm config set always-auth true
Make sure it works with NPM before trying Yarn. I don't know if it matters, but you have two trailing slashes (//
) on the .yarnrc
registry.
@ryanjaeb so, our devops team has Nexus locked down to _only_ support the LDAP Realm. This might be the core of the problem, but there are many tools that rely on yarn
that I cannot use because this seems to be unsupported. I've tried appending the _auth
as a param in the appropriate syntax, et cetera. Nothing seems to work. (FWIW: the multiple slashes was a supposed fix for a related issue, I've done it with and without with no success.)
Can confirm that Yarn auth is broken with Nexus. yarn login
doesn't prompt for a password but says it logged in successfully (it didn't -- no changes to rc file),
Publish does prompt for the password and does publish but it never reads from the __auth token wherever it is set to you have to login every time. And you also can't use yarn in a CI scenario.
yarn does not work within CI. Will this ever work?
This issue should have been fixed by https://github.com/yarnpkg/yarn/pull/5216. That PR had a description containing this:
Fixes #4157, #4451, #4672, #4119.
and that caused GitHub to only close #4157 automatically when that PR was merged. The other issues should've probably been closed as well.
@valscion this might help further with these issues - https://github.com/yarnpkg/yarn/pull/5322, but it slipped through the cracks..
Adding another datapoint - yarn 1.8.x+ fails on my build agent (VSTS). Reverting ONLY yarn
to 1.7.x resolves the issue. It's looking at the correct registry, but not using the tokens that are injected into the .npmrc
by the build agent. I do realize there are a lot of variables here, but figured it might be useful.
Running 1.9.x locally, where tokens are saved in my user .npmrc
, works fine.
1.9.x Version
2018-08-03T21:17:04.9324575Z [command]C:\Windows\system32\cmd.exe /D /S /C "C:\Builds\_tool\yarn\1.9.4\x64\yarn-v1.9.4\bin\yarn.cmd build"
2018-08-03T21:17:05.4481355Z yarn run v1.9.4
2018-08-03T21:17:05.5418442Z $ lerna clean && lerna bootstrap
2018-08-03T21:17:08.3387809Z lerna info version 2.11.0
2018-08-03T21:17:08.3387809Z lerna info versioning independent
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4012821Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4012821Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4169058Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4325326Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4325326Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.7606628Z lerna success clean finished
2018-08-03T21:17:09.5145894Z lerna info version 2.11.0
2018-08-03T21:17:09.5145894Z lerna info versioning independent
2018-08-03T21:17:09.5419287Z lerna info Bootstrapping 9 packages
2018-08-03T21:17:09.5419287Z lerna info lifecycle preinstall
2018-08-03T21:17:09.5576221Z lerna info Installing external dependencies
2018-08-03T21:17:12.8857424Z lerna ERR! execute callback with error
2018-08-03T21:17:12.8857424Z lerna ERR! Error: Command failed: yarn install --mutex network:42424 --non-interactive
2018-08-03T21:17:12.8857424Z lerna ERR! warning package.json: No license field
2018-08-03T21:17:12.8857424Z lerna ERR! warning Waiting for the other yarn instance to finish (4048)
2018-08-03T21:17:12.8857424Z lerna ERR! warning Waiting for the other yarn instance to finish (6896)
2018-08-03T21:17:12.8857424Z lerna ERR! warning No license field
2018-08-03T21:17:12.8857424Z lerna ERR! error An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \"401 Unauthorized\"".
2018-08-03T21:17:12.8857424Z lerna ERR! [1/4] Resolving packages...
2018-08-03T21:17:12.8857424Z lerna ERR! [2/4] Fetching packages...
2018-08-03T21:17:12.8857424Z lerna ERR! info If you think this is a bug, please open a bug report with the information provided in "C:\\Builds\\6\\s\\packages\\<REMOVED>\\yarn-error.log".
2018-08-03T21:17:12.8857424Z lerna ERR! info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
2018-08-03T21:17:12.8857424Z lerna ERR!
2018-08-03T21:17:12.8857424Z lerna ERR! at Promise.all.then.arr (C:\Builds\6\s\node_modules\lerna\node_modules\execa\index.js:236:11)
2018-08-03T21:17:12.8857424Z lerna ERR! at <anonymous>
2018-08-03T21:17:12.9482437Z lerna WARN complete Waiting for 1 child process to exit. CTRL-C to exit immediately.
2018-08-03T21:17:13.0732458Z { Error: Command failed: yarn install --mutex network:42424 --non-interactive
2018-08-03T21:17:13.0732458Z warning package.json: No license field
2018-08-03T21:17:13.0732458Z warning Waiting for the other yarn instance to finish (4048)
2018-08-03T21:17:13.0732458Z warning Waiting for the other yarn instance to finish (6896)
2018-08-03T21:17:13.0732458Z warning No license field
2018-08-03T21:17:13.0732458Z error An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \"401 Unauthorized\"".
2018-08-03T21:17:13.0732458Z [1/4] Resolving packages...
2018-08-03T21:17:13.0732458Z [2/4] Fetching packages...
2018-08-03T21:17:13.0732458Z info If you think this is a bug, please open a bug report with the information provided in "C:\\Builds\\6\\s\\packages\\<REMOVED>\\yarn-error.log".
2018-08-03T21:17:13.0732458Z info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
2018-08-03T21:17:13.0732458Z
2018-08-03T21:17:13.0732458Z at Promise.all.then.arr (C:\Builds\6\s\node_modules\lerna\node_modules\execa\index.js:236:11)
2018-08-03T21:17:13.0732458Z at <anonymous>
2018-08-03T21:17:13.0732458Z at process._tickCallback (internal/process/next_tick.js:188:7)
2018-08-03T21:17:13.0732458Z code: 1,
2018-08-03T21:17:13.0732458Z killed: false,
2018-08-03T21:17:13.0732458Z stdout: '[1/4] Resolving packages...\n[2/4] Fetching packages...\ninfo If you think this is a bug, please open a bug report with the information provided in "C:\\\\Builds\\\\6\\\\s\\\\packages\\\\<REMOVED>\\\\yarn-error.log".\ninfo Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.\n',
2018-08-03T21:17:13.0732458Z stderr: 'warning package.json: No license field\nwarning Waiting for the other yarn instance to finish (4048)\nwarning Waiting for the other yarn instance to finish (6896)\nwarning No license field\nerror An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \\"401 Unauthorized\\"".\n',
2018-08-03T21:17:13.0732458Z failed: true,
2018-08-03T21:17:13.0732458Z signal: null,
2018-08-03T21:17:13.0732458Z cmd: 'yarn install --mutex network:42424 --non-interactive',
2018-08-03T21:17:13.0732458Z timedOut: false,
2018-08-03T21:17:13.0732458Z exitCode: 1 }
2018-08-03T21:17:13.0888721Z error Command failed with exit code 1.
2018-08-03T21:17:13.0888721Z info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
1.7.X Version
2018-08-03T21:33:16.4477199Z [command]C:\Windows\system32\cmd.exe /D /S /C "C:\Builds\_tool\yarn\1.7.0\x64\yarn-v1.7.0\bin\yarn.cmd build"
2018-08-03T21:33:16.9633413Z yarn run v1.7.0
2018-08-03T21:33:17.0727225Z $ lerna clean && lerna bootstrap
2018-08-03T21:33:19.2509802Z lerna info version 2.11.0
2018-08-03T21:33:19.2509802Z lerna info versioning independent
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2978554Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.6728520Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.8759839Z lerna success clean finished
2018-08-03T21:33:20.5947225Z lerna info version 2.11.0
2018-08-03T21:33:20.5947225Z lerna info versioning independent
2018-08-03T21:33:20.6103497Z lerna info Bootstrapping 9 packages
2018-08-03T21:33:20.6103497Z lerna info lifecycle preinstall
2018-08-03T21:33:20.6415982Z lerna info Installing external dependencies
2018-08-03T21:33:23.1103303Z lerna info Symlinking packages and binaries
2018-08-03T21:33:23.1415791Z lerna info lifecycle postinstall
2018-08-03T21:33:23.1415791Z lerna info lifecycle prepublish
2018-08-03T21:33:23.1415791Z lerna info lifecycle prepare
2018-08-03T21:33:23.1415791Z lerna success Bootstrapped 9 packages
2018-08-03T21:33:23.1572133Z $ ts-node ./build/index.ts
2018-08-03T21:33:58.5218101Z Done in 41.54s.
Hey folks, I have a request for the people following this issue and using a private registry.
We're considering dropping the registry hostname from the lockfile. This would make it easier to switch from a private registry to another, but the downside is that all the registries need to use similar URLs (since the hostname wouldn't be part of the URL, we would just merge it at runtime with the active configuration).
Could you please help us to confirm in #5892 that this workflow would work for your private registry provider (or tell us if it wouldn't)? That would help us get the level of confidence needed to make this change. Thanks!
I'm experiencing issues with yarn publish
not reading the auth token from my .npmrc
as well. I'm running this on Ubuntu.
yarn - 1.9.4
npm - 5.5.1
Here's what my ~/.npmrc
looks like (with token and registry obfuscated):
registry=http://myprivateregistry.net/
//myprivateregistry.net/:_authToken="myAuthToken"
When I run yarn publish --noninteractive
, I receive the following error:
yarn publish v1.9.4
[1/4] Bumping version...
info Current version: 2.1.3
[2/4] Logging in...
error No token found and can't prompt for login when running with --non-interactive.
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.
I've tried the following to no avail:
~/.npmrc
to a local .npmrc
in my project directoryyarn login
with my credentials before running yarn publish
I've also verified that running npm publish
makes it past the authentication step (it fails on the versioning step because it won't let me override the same version number. This is why I want to use yarn publish --non-interactive
, because it allows for uploading, say, README changes with the same version number)
Is there something else I'm missing? Thanks!
@liuhelen10 Do yo have .yarnrc
file inside your project? This worked for me with token stored inside ~/.npmrc
Example
$ cat .yarnrc
registry "https://registry.npmjs.org/"
always-auth = true
in .npmrc did the trick, not receiving 401 anymore while using Yarn.
Which makes not sense but whatever :)
this has been reported in 2017, it's 2019 now and this issue still exists.
Agreed, this still doesn't work.
.npmrc
always-auth=true
@somename:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=[token]
.yarnc
"@somename:registry" "https://npm.pkg.github.com/"
I am also getting an error with npm.pkg.github.com:
Integrity checked failed (none of the specified algorithms are supported
I am also getting an error with npm.pkg.github.com:
Integrity checked failed (none of the specified algorithms are supported
Getting this as well
I had the same problem using Nexus version 3, but solved using the approach mentioned by @plitex in this issue https://github.com/yarnpkg/yarn/issues/3093#issuecomment-317671597.
Put this content in the .npmrc
file. You do not need to have any settings in the .yarnrc
file.
always-auth=true
registry=https://nexus.server.com/repository/npm-group/
//nexus.server.com/repository/npm-group/:_authToken={AUTH_TOKEN}
yarn --version
1.17.3
npm --version
6.10.2
@nbransby, @revmischa: Also check out issue #7552, it might be that the error message is correct in this instance.
Two things that helped me:
I started getting this error on yarn 1.19.1. Before that yarn seemed to correctly pick up the registry and token information from .npmrc
, but with 1.19.1, I had to add registry
configuration in .yarnrc
as well, otherwise I just got 401 errors.
Once that was done, it worked, and continued to pick up the token from .npmrc
. Seems like a regression to me -- there doesn't appear to be any good reason to replicate the registry config from .npmrc
to .yarnrc
.
Like @rocketraman, soon as I've installed yarn 1.19.1, I've started experiencing 401s on when trying to install scoped packages from a private registry (nexus). npm install
works fine.
Downgraded yarn and all working again:
curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.17.3
can confirm this is STILL an issue
Getting 401 errors when running yarn install
Request "https://npm.pkg.github.com/user/@scope/package" finished with status code 401.
where as npn install
runs with zero issue
I've spent the last 2 hours debugging this issue and thanks to my friend @AndreiCalazans, I have a workaround.
Sharing here for anyone who might be struggling with similar.
I'm deploying a project that uses yarn
workspaces to Heroku. Even if I drop the yarn.lock
and use npm install
, the project is built with workspaces and _will not work at all_ without yarn
.
The project relies on packages hosted on GitHub Packages and needs to authenticate against GitHub via a token.
Heroku would see a yarn.lock
and install dependencies with yarn
, which would ignore a ~/.npmrc
file that I create pre build.
Pre-build, I would run
echo "always-auth=true\n//npm.pkg.github.com/:_authToken=${GITHUB_NPM_TOKEN}\" >> ~/.npmrc",
This creates a file, ~/.npmrc
, with this content:
always-auth=true
//npm.pkg.github.com/:_authToken=whatevermytokenis
yarn
would flat out ignore this and fail when attempting to pull a dependency from GitHub package registry with 401 Unauthorized
.
Andrei mentioned aliasing _just the org_ to use the GitHub registry, and _then_ adding the GitHub registry token under.
Essentially, changing the ~/.npmrc
file slightly to add the following:
always-auth=true
+@MY_ORG:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=whatevermytokenis
That solved everything and suddenly, yarn
used the provided auth token for npm.pkg.github.com
for any packages under @MY_ORG
which was the GitHub org.
Whew! I hope this helps someone! ๐
This is still an issue!! NPM install runs without problems, yarn add
error Couldn't find package "@diligentcorp/atlas-react" on the "npm" registry.
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.
On my windows machine, the problem was that the user folder with my user level .npmrc file was on a network drive. The local user folder on the machine did not have an .npmrc file, but yarn seems to look in this folder. Copying the .npmrc from the network drive to the local user folder fixed the problem (an authentication token was stored in the user level .npmrc).
I discovered that by accident after typing "cd ~" into my git bash and it switched to the remote home folder (which I never use).
@TejasQ Workaround did not work for me.
I'm also using GitHub Packages.
Still getting 401 unauthorized
even though it works perfectly well with npm
I managed to make it work with yarn v1.22.0
.npmrc
always-auth=true
@fortawesome:registry=https://npm.fontawesome.com
//npm.fontawesome.com/:_authToken=xyz-xyz-xyz-xyz
.yarnrc
"@fortawesome:registry" "https://npm.fontawesome.com"
registry "https://some-regular-registry.org"
and then execute: yarn add @fortawesome/fontawesome-pro
Happening to me too, I was hoping I could get it to work with only .npmrc
, but it only works when adding .yarnrc
, so we have to duplicate the config just for yarn.
I think this is what I'm running into. It works when .npmrc
is in the home directory, but not in the project directory (needed for jenkins/travis).
https://github.com/yarnpkg/yarn/issues/8034
This solved it for me: https://github.com/yarnpkg/yarn/issues/4451#issuecomment-570691809
Make sure you don't have /name
after the registry when setting the scoped one:
- @4r7d3c0:registry=https://npm.pkg.github.com/4r7d3c0
+ @4r7d3c0:registry=https://npm.pkg.github.com
As per doc, registry=https://npm.pkg.github.com/OWNER
, I overlooked that the owner doesn't need to be there when setting the scope. NPM could handle it, but yarn couldn't.
For those who use aliases check this workaround: https://github.com/yarnpkg/yarn/issues/8130#issuecomment-636281053
Had to split user-level .npmrc
and project-level .npmrc
to make yarn respect GitHub package tokens. Moving named registry declarations from user-level to project-level was the key
Contents of ~/.npmrc
_auth=#####TOKEN_FOR_ARTIFACTORY#####
always-auth=true
registry=https://artifactory.mycompany.net/artifactory/api/npm/npm/
//npm.pkg.github.com/:_authToken=####GitHub_NPM_REGISTRY_TOKEN#####
Contents of ~/projects/blah/.npmrc
@mycompany:registry=https://npm.pkg.github.com
Until i moved the ^ named family package registry entry to project-level .npmrc
, yarn install
was giving me 401 (for GH-hosted packages under @mycompany
). Now it does not.
For Docker build mount them separately:
base.Dockerfile
:
# syntax=docker/dockerfile:1-experimental
## ^ need to enable --mount=type=secret support
ARG BASE_IMAGE
FROM ${BASE_IMAGE} as build
# note that only project-level .npmrc is copied
COPY package.json yarn.lock .npmrc ./
# ~/.npmrc with actual secrets is mounted as "secret" (does not stay in image)
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc,required \
yarn install --production --frozen-lockfile ...
Docker build command:
DOCKER_BUILDKIT=1 docker build \
--build-arg BASE_IMAGE=$(BASE_IMAGE) \
--secret id=npmrc,src="$(HOME)/.npmrc" \
-t $(IMAGE_NAME):$(IMAGE_TAG) \
-f base.Dockerfile .
_(Note, that i did NOT need .yarnrc
for this to work, but i am on yarn 1.17.3 so things may be different for other versions)_
I've digged a little bit arround and it seems yarn uses the wrong auth credentials.
~/.npmrc
//npm-old.visualon.de/npm/vo-npm/:_password=XXXXXX
//npm-old.visualon.de/npm/vo-npm/:username=kriese
//npm-old.visualon.de/npm/vo-npm/:always-auth=true
//npm-new.visualon.de/:_authToken="XXXXXX"
package.json
{
"name": "yarn-auth",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"dependencies": {
"tslib": "^2.0.1",
"moment": "2.20.1"
}
}
yarn.lock
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
[email protected]:
version "2.20.1"
resolved "https://npm-old.visualon.de/npm/vo-npm/moment/-/moment-2.20.1.tgz#d6eb1a46cbcc14a2b2f9434112c1ff8907f313fd"
integrity sha1-1usaRsvMFKKy+UNBEsH/iQfzE/0=
tslib@^2.0.1:
version "2.0.1"
resolved "https://npm-new.visualon.de/tslib/-/tslib-2.0.1.tgz#410eb0d113e5b6356490eec749603725b021b43e"
integrity sha512-SgIkNheinmEBgx1IUNirK0TUD4X9yjjBRTqqjggWCU3pUEqIk3/Uwl3yRixYKT6WjQuGiwDv4NomL3wqRCj+CQ==
While trying to install yarn sends the bearer
token from npm-new.visualon.de
to npm-old.visualon.de
. So it semms yarn only compares the base domain.
If anyone still faces it, this is what worked for me.
.npmrc:
always-auth=true
@orgaccount:registry=https://npm.pkg.github.com
registry=https://registry.yarnpkg.com
https://npm.pkg.github.com/:_authToken=yyyyjjjjj3333888etc
Not sure if anyone faces a similar problem, but maybe this will help someone save a bit of time:
I am using Azure Artifacts as a private registry and had set up the PAT and .npmrc files as documented there.
Nevertheless, I was running into the same issue that npm install
was working perfectly, but yarn install
runs into the 401 Error all the time.
After a bit of try and error It turned out the I had a special character in my Registry URL (...@Local/...) but Azure Artifacts resolves this to the Unicode representation within their setup guide. npm handles this just fine, yarn not so much. Setting the actual @ character in the URL, solved my problem.
Most helpful comment
this has been reported in 2017, it's 2019 now and this issue still exists.