yarn does not honor authentication settings in .npmrc

Created on 14 Sep 2017  ยท  86Comments  ยท  Source: yarnpkg/yarn

Do you want to request a feature or report a bug?
BUG
What is the current behavior?
Yarn does not honor .npmrc
If the current behavior is a bug, please provide the steps to reproduce.
We require authentication for one of our repositories and we used to do this by specifying the authentication in .npmrc. This worked up to 0.28.4 but broke in 1.0.0

What is the expected behavior?
Honoring the authentication settings in .npmrc

Please mention your node.js, yarn and operating system version.
It happens after upgrading yarn to 1.0.0/1.0.1 (have tried both versions). Regardless of OS and nodejs version.

cat-bug help wanted

Most helpful comment

this has been reported in 2017, it's 2019 now and this issue still exists.

All 86 comments

This should be fixed in 1.0.2 which was released yesterday. Can you give it a spin?

@BYK I am experiencing the same issues as above and as mentioned at the end of #4157 . I tried running 1.0.2 and failed with 404. Running on 0.27.5 works as expected.

Could you paste your npmrc file here so we could try to reproduce (obviously edit out secrets or other private info)

@KidkArolis while trying to get my working dir as clean as possible, it somehow fixed the issue? ๐Ÿ™ƒ

Steps I took:

  • Delete yarn.lock and any yarn-error.log files
  • Delete node_modules/
  • brew link yarn and yarn --version to ensure I was at 1.0.2
  • yarn

That seems to have worked. I am going to chalk this up as a user error on mine and my team's end.

@beardedtim What about if you now blow away node_modules but keep yarn.lock and then run yarn install? Does it all work then? This is in part what #4157 tracks but may be related to the larger issue at hand?

I am experiencing this issue (404 on private scoped repo, whichever registry I use) for yarn versions 1.0.1, and 1.0.2. Version 0.27.5 worked after clearing some artifacts.

I have tried all the workarounds discussed in https://github.com/yarnpkg/yarn/issues/4157. Happy to post logs if it will help.

@stieg I will try that later today when I get a free moment around lunch and post results. I believe I still got the 404 error but I've tried so many things at this point, who knows!

Has anyone found a solution to this?

FWIW: I tried with:

  • Wiping my node_modules
  • Wiping ~/.yarn
  • curl -o- -L https://yarnpkg.com/install.sh | bash to reinstall yarn 1.0.2
  • yarn install - _no errors_, it installed everything flawlessly.

My ~/.yarnrc:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://registry.npmjs.org"
email [email protected]
lastUpdateCheck 1505977814820
username some-user
````

And my `~/.npmrc`:

//registry.npmjs.org/:_authToken=a-valid-uuid


The `yarn.lock` references look like this in my particular case:

resolved "https://registry.npmjs.org/@acme/some-module/-/some-module-0.1.1.tgz#valid-git-sha"
```

Interesting. After putting the registry in my .yarnrc file, I was able to install my packages. However, I removed it to check if that was the culprit, and it still was successful (I deleted my cache so Yarn had to download it, and it managed to do so correctly).

I tried on a fresh install (Debian this time, the other was macOS) and having these settings in ~/.npmrc and ~/.yarnrc worked equally well there. (Note: I did not try npm login or yarn login.)

Closing as people reporting this was resolved. Reopen with concrete reproduction steps if it is not resolved for you @carlosduclos please.

@BYK I had the same problem.
I used the clean install of the latest yarn version.
And it starts working after I added registry "https://registry.npmjs.org" to ~/.yarnrc.
I think it's a bug and it should be solved automatically, not manually, as we did.

@BYK It may help to note that everyone who has "reported as resolved" has used the workaround of forcing yarn to use the https://registry.npmjs.org registry.

I think there is still a problem retrieving private packages from the https://registry.yarnpkg.com registry, however, and this is the default registry used by yarn (is it still just a reverse proxy? perhaps it's not honouring auth headers?).

Concrete reproduction steps

  1. Delete/move your .npmrc and .yarnrc files so yarn is using the default config.
  2. Locate a package published privately to the npm registry.
    1a. If you have downloaded/published it from the same machine you are testing yarn from, clear the npm and yarn caches.
  3. Run npm login or yarn login to populate the auth token.
  4. Using any yarn version after 0.27.5, try to install this package.
Expected results

Package installs successfully.

Actual results
โค @up โžœ  REPO git:(master) โ˜… yarn add @SCOPE/PACKAGE 
yarn add v1.1.0
info No lockfile found.
[1/5] Validating package.json...
[2/5] Resolving packages...
error An unexpected error occurred: "https://registry.npmjs.org/@SCOPE%2fPACKAGE: Not found".
info If you think this is a bug, please open a bug report with the information provided in "/home/katy/dev/REPO/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

If project maintainers find @kmoe's instructions to be reproducible, this ticket should be reopened (at least for the sake of existing subscribers).

I agree with @kmoe, the underlying issue is not fixed even in recent versions of yarn. Please reopen the issue. Yes, we have a workaround, but workaround != solution in this case.

FWIW, this is still a problem in 1.1.0. I just verified it (came back here for the workaround, namely registry "https://registry.npmjs.org" being added to ~/.yarnrc)

I am having this problem in yarn 1.3.2 and it is breaking our builds right now. It worked fine on yarn 0.27.5.

We require an auth token from the .npmrc file to install packages from our Artifactory private registry.

Reproduction steps:

  1. Have an .npmrc file with authentication info in it like:
registry=https://artifactory.mycompany.com/artifactory/api/npm/npm-virtual
_auth = myAuthTokenHere
always-auth = true
email = [email protected]
  1. Run yarn install
  2. Get HTTP 401 error when yarn is trying to install stuff from the private registry:
error An unexpected error occurred: "https://artifactory.mycompany.com/api/npm/npm-virtual/@angular/compiler/-/compiler-4.3.1.tgz: Request failed \"401 Unauthorized\"".

Related: #4672

@stewx I'm also having the same problem on 1.3.2. Did you find a fix or a way around it?

@jamesone Nope, I downgraded to something like 0.27. It's a deal-breaker for our project.

@stewx @jamesone
Add registry "https://registry.npmjs.org" in your .yarnrc and reinstall the private packages
It will tell yarn to work directly with npmjs registry and it will solve the issue

It feels so wrong to version lock at 0.27.5 just to circumvent this one issue, but it seems like many are doing just that _or_ redirecting registry config (although @stewx is reporting that does not solve for self-hosted private registries).

If frequent project contributors don't have time to fix this in the short term, would somebody be willing to suggest codebase location(s) where a fix is most likely to succeed, in the hopes that a community PR will be opened? ๐Ÿค”

/cc @kittens @bestander @BYK @arcanis @rally25rs @kaylieEB

@Bnaya When you say reinstall, do you mean remove node_modules in your project or clear yarn cache?

yarn remove yourprivatepackage; yarn add yourprivatepackage

And in the lock file you will see https://registry.npmjs.org/*** url and not https://registry.yarnpkg ***

I would suggest adding the .yarnrc next to your package.json

I actually made it work by putting registry "https://registry.npmjs.org" in ~/.yarnrc, i.e. no need for a package local .yarnrc.

Steps to reproduce error for me:

  • do not have a modified ~/.yarnrc
  • create new project
  • yarn cache clean
  • yarn add privatemodule -> fail

If I modify ~/.yarnrc as mentioned above the steps do not create an error.

If I look at some of my project where there are failures I see that yarn.lock contains https://registry.yarnpkg.com/@myscope/mypackage/. In order to make these projects work I need to remove yarn.lock and regenerate it, after having made the update to ./.yarnrc.

This seems to explain why some people still have errors even when they try something that works for others.

How to solve in conclusion:

  • add registry "https://registry.npmjs.org" to ~/.yarnrc
  • remove and regenerate yarn.lock for failing projects

@TheLudd Regenerating yarn.lock from scratch defeats its purpose.

Instead, project maintainers may want to consider search/replace from yarnpkg.com to npmjs.org, preserving their current lock file state.

@awkaiser Well, as long as your tests pass you can commit it and all other collaborators will have the same environment as you. So not really defeating its purpose IMO.
But yes you can also search replace.

But the rule is also that you should not modify yarn.lock manually ;)

If it was always safe to pull the absolute latest packages that satisfy our package.json requirements, we wouldn't have a need for lockfiles at all. ๐Ÿ˜œ

Normally, yes, we shouldn't modify yarn.lock by hand but this, being a bug, supports an exception to that rule. Updating the registry location reference with a search and replace should be straightforward and safe. ๐Ÿป

I didn't need to regenerate my whole lock file.
Just to remove and install the private packages

@awkaiser or anyone else on the thread - one way you can help is by creating a reproducable example. E.g. base it off this repo https://github.com/KidkArolis/yarn-scopes-issue. If you can produce a repo where running yarn fails (specific registry response, specific yarn config, specific package.json etc.) - I could then definitely have a look at fixing the issue.

Generally:

  1. You don't need .yarnrc file
  2. You don't need .yarnrc to contain registry "https://registry.npmjs.org"
  3. Private modules from registry.npmjs.org should work
  4. Private modules from custom.registry.org should work

@KidkArolis the failures are random. but they are there.
As i wrote on a another related issue: its or an issue with the yarn registry(maybe caching failures, bad Vary header on the proxy, what ever, ), or complex edge case inside yarn that happens only with yarn registry.

Is what @kmoe wrote on Sep 25, 2017 insufficient? ๐Ÿค”

It prompted reopening of this issue, implying reproduction by contributor(s).

@KidkArolis I am not sure how I can create a reproducible example in a repository since this regards private modules and is thus dependent on who runs yarn, right? But my steps to reproduce the error is here https://github.com/yarnpkg/yarn/issues/4451#issuecomment-355248563 and what @kmoe wrote is also sufficient.

When I try to install a private package without modifying .yarnrc the error I get starts with

An unexpected error occurred: "https://registry.yarnpkg.com

This implies that it looks in the yarn registry and not npm. Is that not the error causing this bug?

Ok, thanks for resurfacing those reproduction steps. Iโ€™ll try and have a look.

For whatever reason, adding this explicit location to .npmrc for where to find my private packages made the 404 error stop happening on all repos in which this was causing a problem.

@npm-username:registry=https://registry.yarnpkg.com/

Does anyone have a private npm package they could add me to? Username: kidkarolis.

I'm struggling to get a paid account, their Billing/Account system doesn't seem to be working for me atm (I get 402 Payment Required even though they charged me :-"). So while I wait for npm's support, if someone adds me to a private package (if that's even possible), that would speed things up.

Ok, I think it was just .. eventual consistency, my private npm account works now.

However, I can't reproduce the issue yet :(

I followed the steps provided by @kmoe:

  1. rm ~/.yarnrc && rm ~/.npmrc
  2. yarn cache clean && npm cache clean --force
  3. npm login
  4. yarn add @scope/pkg

It installs fine (and doesn't if I don't npm login). In other words - works as expected for me.

And judging by the yarn.lock, my install goes through https://registry.yarnpkg.com and seems to uses auth as expected. Could it be that there was an issue on the server in the past, but is now resolved?

Ok, I think reproduced something.

If I add @qubit:registry=https://registry.npmjs.org/ to .npmrc - the install no longer works.
I think that line is added if you login with npm login --scope=@qubit and it isn't added if you login with just npm login. Will see how to fix this next.

@KidkArolis other common way of setting that config would be:

npm config set @qubit:registry https://registry.npmjs.org

Opened a PR - #5162 feedback (or even QA) welcome.

@KidkArolis Thanks for the PR. But I think the problem lies not only in the "--scope" case, but in a more general case where a private repo also mirrors public packages with auth.

By the way, @bytheway875, your trick of using https://registry.yarnpkg.com/ as the registry worked for me.

My situation:

  • Goal: install private packages with yarn from an org (@org-name) on npmjs.com using an authToken in local .npmrc file during a CI build (GitLab), so not logged into npm.
  • works with npm
  • no issues on dev machine (mac), i can npm login and yarn just works OR I can be logged out of npm but manually create a local / HOME dir .npmrc file with a single line: //registry.npmjs.org/:_authToken=token and yarn just works (that second method _might_ be working cause of local cache, didn't try wiping that)
  • .yarnrc trick from above didn't work

_The only way I can get this to work is by creating the below local .npmrc file before running yarn install in CI:_

@org-name:registry=https://registry.yarnpkg.com/
always-auth=true
_authToken=token

I had similar issue with .npmrc file. All I had to do is set encoding of .npmrc file to ANSI (in Windows you can use notepad.exe>Save As...).
You can test how yarn sees your .npmrc file content by using yarn config list

I can't get this to work with v1.4.1. I have a private Nexus repo and I use it as cache / proxy (like this). I can't seem to find definitive instructions, so it's possible I'm doing something wrong. I grabbed the yarn config syntax here and the yarn login syntax here.

Edit: I should have mentioned I've tried logging in via NPM first to get the needed .npmrc before trying with yarn.

Below is exactly what I'm doing to test.

Check Merge Commit (dc705768)

git tag --contains dc705768
v1.4.0
v1.4.1

Set Up

Create a Dockerfile to give a consistent, baseline environment for testing.

# Build
#  docker build -t yarn-private-registry-test .
# Run
#  docker run -it --rm yarn-private-registry-test

FROM debian:9.3-slim

WORKDIR /projects

RUN apt-get update \
  && apt-get --yes install curl gnupg \
  && curl -sL https://deb.nodesource.com/setup_8.x | bash - \
  && apt-get install --yes nodejs \
  && curl -OL https://github.com/yarnpkg/yarn/releases/download/v1.4.1/yarn_1.4.1_all.deb \
  && find . -name yarn*.deb -exec dpkg --install {} \; \
  && find . -name yarn*.deb -exec rm {} \;

Build Docker Image

docker build -t yarn-private-registry-test .

Test Yarn

Hint: Keep exiting and restarting the Docker container to get a clean environment.

No Config

Make sure the environment works by initialize a project and adding a dependency without making any config changes.

Run Docker Container

docker run -it --rm yarn-private-registry-test

Test

Add left-pad dependency.

mkdir yarn \
  && cd yarn \
  && yarn init --yes \
  && yarn add left-pad
yarn init v1.4.1
warning The yes flag has been set [...snip...]
success Saved package.json
Done in 0.03s.
yarn add v1.4.1
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
โ””โ”€ [email protected]
Done in 0.52s.

Private Registry Config

Run Docker Container

docker run -it --rm yarn-private-registry-test

Test

mkdir yarn \
  && cd yarn \
  && yarn init --yes \
  && yarn config set registry https://example.com/repository/npm-group/ \
  && yarn login
yarn init v1.4.1
warning The yes flag has been set [...snip...]
success Saved package.json
Done in 0.03s.
yarn config v1.4.1
success Set "registry" to "https://example.com/repository/npm-group/".
Done in 0.04s.
yarn login v1.4.1
question npm username: myusername
question npm email: [email protected]
Done in 6.25s.

Add left-pad dependency.

yarn --verbose add left-pad
yarn add v1.4.1
verbose 0.349 Checking for configuration file "/projects/yarn/.npmrc".
verbose 0.35 Checking for configuration file "/usr/local/share/.npmrc".
verbose 0.35 Checking for configuration file "/usr/etc/npmrc".
verbose 0.352 Checking for configuration file "/root/.npmrc".
verbose 0.353 Checking for configuration file "/projects/yarn/.npmrc".
verbose 0.353 Checking for configuration file "/projects/.npmrc".
verbose 0.355 Checking for configuration file "/projects/yarn/.yarnrc".
verbose 0.355 Checking for configuration file "/usr/local/share/.yarnrc".
verbose 0.357 Found configuration file "/usr/local/share/.yarnrc".
verbose 0.358 Checking for configuration file "/usr/etc/yarnrc".
verbose 0.358 Checking for configuration file "/root/.yarnrc".
verbose 0.359 Checking for configuration file "/projects/yarn/.yarnrc".
verbose 0.359 Checking for configuration file "/projects/.yarnrc".
verbose 0.365 current time: 2018-01-25T21:55:48.886Z
info No lockfile found.
verbose 0.405 Performing "GET" request to "https://yarnpkg.com/latest-version".
[1/4] Resolving packages...
verbose 0.48 Performing "GET" request to "https://example.com/repository/npm-group/left-pad".
verbose 0.52 Request "https://example.com/repository/npm-group/left-pad" finished with status code 401.
verbose 0.522 Error: Couldn't find package "left-pad" on the "npm" registry.
    at new MessageError (/usr/share/yarn/lib/cli.js:186:110)
    at NpmResolver.<anonymous> (/usr/share/yarn/lib/cli.js:50354:15)
    at Generator.next (<anonymous>)
    at step (/usr/share/yarn/lib/cli.js:98:30)
    at /usr/share/yarn/lib/cli.js:109:13
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:188:7)
error An unexpected error occurred: "Couldn't find package \"left-pad\" on the \"npm\" registry.".
info If you think this is a bug, please open a bug report with the information provided in "/projects/yarn/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.
verbose 0.809 Request "https://yarnpkg.com/latest-version" finished with status code 200.

Check .yarnrc

cat /usr/local/share/.yarnrc
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://example.com/repository/npm-group/"
email [email protected]
lastUpdateCheck 1516917349331
username myusername

Test NPM

Skip straight to the desired config because it works.

Private Registry Config

Run Docker Container

docker run -it --rm yarn-private-registry-test

Test

mkdir npm \
  && cd npm \
  && npm init --yes \
  && npm config set registry https://example.com/repository/npm-group/ \
  && npm login
Wrote to /projects/npm/package.json:

{
  "name": "npm",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


Username: myusername
Password:
Email: (this IS public) [email protected]
Logged in as myusername on https://example.com/repository/npm-group/.

Add left-pad dependency.

npm --verbose install left-pad
npm info it worked if it ends with ok
npm verb cli [ '/usr/bin/node',
npm verb cli   '/usr/bin/npm',
npm verb cli   '--verbose',
npm verb cli   'install',
npm verb cli   'left-pad' ]
npm info using [email protected]
npm info using [email protected]
npm verb npm-session 0ed36c84804378c8
npm http fetch GET 200 https://example.com/repository/npm-group/left-pad 78ms
npm http fetch GET 200 https://example.com/repository/npm-group/left-pad/-/left-pad-1.2.0.tgz 28ms
npm verb correctMkdir /root/.npm/_locks correctMkdir not in flight; initializing
npm verb makeDirectory /root/.npm/_locks creation not in flight; initializing
npm verb lock using /root/.npm/_locks/staging-2f9f45630e5bbb1a.lock for /projects/npm/node_modules/.staging
npm info lifecycle [email protected]~preinstall: [email protected]
npm info linkStuff [email protected]
npm verb linkBins [email protected]
npm verb linkMans [email protected]
npm info lifecycle [email protected]~install: [email protected]
npm info lifecycle [email protected]~postinstall: [email protected]
npm verb unlock done using /root/.npm/_locks/staging-2f9f45630e5bbb1a.lock for /projects/npm/node_modules/.staging
npm verb saving [ { name: 'left-pad', spec: '^1.2.0', save: 'dependencies' } ]
npm info lifecycle undefined~preshrinkwrap: undefined
npm info lifecycle undefined~shrinkwrap: undefined
npm notice created a lockfile as package-lock.json. You should commit this file.
npm info lifecycle undefined~postshrinkwrap: undefined
npm WARN [email protected] No description
npm WARN [email protected] No repository field.

+ [email protected]
added 1 package in 0.398s
npm verb exit [ 0, true ]
npm info

@ryanjaeb Thanks for the detailed report. The one thing I'm missing in order to tell you what might be going wrong here is the contents of ~/.npmrc and ~/.yarnrc files. You did paste your .yarnrc, but it doesn't contain password. Also without .npmrc file for comparison, it's hard to pin point the issue.

Your use case should work fine in ^1.4.0, but it's all about how the config file looks.

Tbh with you, I never use yarn login, I first npm login and then use yarn. In your above example, if you first do npm set config registry ... && npm login and then run add left-pad - does it work? If npm works, so should yarn. So I'm wondering if the yarn login command is what's broken.

@KidkArolis By ignoring yarn login and expecting to be able to get it working with only npm login, I was able to make some progress. I'm seeing two things.

.npmrc

The docs for npm-login don't seem to match what I'm actually seeing in .npmrc. Specifically, the --always-auth arg for the npm login command has no impact on the config, even though the docs say:

Can be used with --registry and / or --scope, e.g.
...
Registry-specific configuration of always-auth takes precedence over any global configuration.

However, regardless of whether or not I use that argument, I always end up with the same .npmrc. Both:

npm config set registry https://example.com/repository/npm-group/ \
  && npm login --registry=https://example.com/repository/npm-group/

and

npm config set registry https://example.com/repository/npm-group/ \
  && npm login --registry=https://example.com/repository/npm-group/ --always-auth

produce this .npmrc:

registry=https://example.com/repository/npm-group/
//example.com/repository/npm-group/:_authToken=NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Sniffing the traffic going to my registry shows that NPM sends the auth token regardless:

GET /repository/npm-group/left-pad HTTP/1.1
Host: example.com
user-agent: npm/5.6.0 node/v8.9.4 linux x64
npm-in-ci: false
npm-scope: 
npm-session: c4c14c0b37be7bd5
referer: install left-pad
pacote-req-type: packument
pacote-pkg-id: registry:manifest
accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*
authorization: Bearer NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
accept-encoding: gzip,deflate
X-Forwarded-Proto: https
X-Forwarded-For: 10.10.10.1
X-Forwarded-Host: example.com
X-Forwarded-Server: example.com
Connection: Keep-Alive

Yarn does not send the token unless always-auth is set. Explicitly setting the always-auth flag in .npmrc gets everything working as expected.

npm config set always-auth true \
    && cat ~/.npmrc
registry=https://example.com/repository/npm-group/
//example.com/repository/npm-group/:_authToken=NpmToken.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
always-auth=true

Beyond knowing the behavior between NPM and Yarn differs, I'm not familiar enough with either to know which behavior is correct.

yarn login

I think you might be right about yarn login not working, but I haven't tested it extensively. Ignoring .npmrc and using only yarn, I try to mimic the NPM config.

yarn config set registry https://example.com/repository/npm-group/ \
    && yarn config set always-auth true \
    && yarn login

.yarnrc:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://example.com/repository/npm-group/"
always-auth true
email [email protected]
lastUpdateCheck 1517883362958
username myusername

No matter what I do, I'm never prompted to enter my password.

@KidkArolis For me npm works without explicit always-auth=true in .npmrc and yarn (1.3.2 or 1.4.0) doesn't. In my case I'm trying to point all requests to the virtual registry in artifactory. With always-auth=true and authToken in .npmrc โ€“ย it works in 1.3.2, so not clear what was exactly fixed in 1.4.0.

This still seems to be an issue, specifically hooking up to our Nexus repo.

I've tried several approaches:

  1. Deleting my ~/.yarnrc completely and relying only on what is in ~/.npmrc.
  2. Mucking about with registry settings in ~/.yarnrc.

It seems that yarn is not using the hashed _auth value (e.g. _auth=xyz) from ~/.npmrc

Version info

NPM

npm --version                                                                                                                                                                                                                                                                                                      
5.6.0

Yarn

yarn --version
1.5.1

Running on OS X 10.13.2.

NPMRC

My ~/.npmrc looks like this (some setting _values_ omitted for obvious reasons):

registry=http://nexus-repo:8081/content/repositories/npm-all
init.author.name=Juan Smith
[email protected]
init.author.url=http://nexus-repo:8081/content/repositories/npm/
[email protected]
_auth=BASE64-HASH-USERNAME-PASSWORD
always-auth=true

YARNRC

My ~/.yarnrc looks like this (again obvious values omitted):

registry "http://nexus-repo:8081/content/repositories/npm-all//"
email [email protected]
lastUpdateCheck 1521495247797
username jsmith

ยฏ_(ใƒ„)_/ยฏ

Not really sure where to go from here. It's not entirely clear what is going on, other than all yarn builds fail in the following fashion:

error An unexpected error occurred: "http://nexus-repo:8081/content/groups/npm-all/lru-cache/-/lru-cache-4.1.2.tgz: Request failed \"401 Unauthorized\"".

FWIW, IANADOE (I Am Not A Dev Ops Engineer) and am just trying to utilize a package that leans on yarn for electron builds. This could just be me not knowing how to set the base64 username|password hash for yarn. I have not been able to find docs explaining that.

@ezweave Sonatype has really good documentation. That link also has instructions for testing to make sure you're doing the base64 encoding correctly. Personally I find it easiest to enable the npm Bearer Token Realm in Nexus and to use npm login on my workstation. Ex:

npm config set registry http://nexus-repo:8081/content/repositories/npm-all
npm login --registry=http://nexus-repo:8081/content/repositories/npm-all --always-auth
npm config set always-auth true

Make sure it works with NPM before trying Yarn. I don't know if it matters, but you have two trailing slashes (//) on the .yarnrc registry.

@ryanjaeb so, our devops team has Nexus locked down to _only_ support the LDAP Realm. This might be the core of the problem, but there are many tools that rely on yarn that I cannot use because this seems to be unsupported. I've tried appending the _auth as a param in the appropriate syntax, et cetera. Nothing seems to work. (FWIW: the multiple slashes was a supposed fix for a related issue, I've done it with and without with no success.)

Can confirm that Yarn auth is broken with Nexus. yarn login doesn't prompt for a password but says it logged in successfully (it didn't -- no changes to rc file),

Publish does prompt for the password and does publish but it never reads from the __auth token wherever it is set to you have to login every time. And you also can't use yarn in a CI scenario.

yarn does not work within CI. Will this ever work?

This issue should have been fixed by https://github.com/yarnpkg/yarn/pull/5216. That PR had a description containing this:

Fixes #4157, #4451, #4672, #4119.

and that caused GitHub to only close #4157 automatically when that PR was merged. The other issues should've probably been closed as well.

@valscion this might help further with these issues - https://github.com/yarnpkg/yarn/pull/5322, but it slipped through the cracks..

Adding another datapoint - yarn 1.8.x+ fails on my build agent (VSTS). Reverting ONLY yarn to 1.7.x resolves the issue. It's looking at the correct registry, but not using the tokens that are injected into the .npmrc by the build agent. I do realize there are a lot of variables here, but figured it might be useful.

Running 1.9.x locally, where tokens are saved in my user .npmrc, works fine.

1.9.x Version

2018-08-03T21:17:04.9324575Z [command]C:\Windows\system32\cmd.exe /D /S /C "C:\Builds\_tool\yarn\1.9.4\x64\yarn-v1.9.4\bin\yarn.cmd build"
2018-08-03T21:17:05.4481355Z yarn run v1.9.4
2018-08-03T21:17:05.5418442Z $ lerna clean && lerna bootstrap
2018-08-03T21:17:08.3387809Z lerna info version 2.11.0
2018-08-03T21:17:08.3387809Z lerna info versioning independent
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.3856545Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4012821Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4012821Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4169058Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4325326Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.4325326Z lerna info clean removing <REMOVED>
2018-08-03T21:17:08.7606628Z lerna success clean finished
2018-08-03T21:17:09.5145894Z lerna info version 2.11.0
2018-08-03T21:17:09.5145894Z lerna info versioning independent
2018-08-03T21:17:09.5419287Z lerna info Bootstrapping 9 packages
2018-08-03T21:17:09.5419287Z lerna info lifecycle preinstall
2018-08-03T21:17:09.5576221Z lerna info Installing external dependencies
2018-08-03T21:17:12.8857424Z lerna ERR! execute callback with error
2018-08-03T21:17:12.8857424Z lerna ERR! Error: Command failed: yarn install --mutex network:42424 --non-interactive
2018-08-03T21:17:12.8857424Z lerna ERR! warning package.json: No license field
2018-08-03T21:17:12.8857424Z lerna ERR! warning Waiting for the other yarn instance to finish (4048)
2018-08-03T21:17:12.8857424Z lerna ERR! warning Waiting for the other yarn instance to finish (6896)
2018-08-03T21:17:12.8857424Z lerna ERR! warning No license field
2018-08-03T21:17:12.8857424Z lerna ERR! error An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \"401 Unauthorized\"".
2018-08-03T21:17:12.8857424Z lerna ERR! [1/4] Resolving packages...
2018-08-03T21:17:12.8857424Z lerna ERR! [2/4] Fetching packages...
2018-08-03T21:17:12.8857424Z lerna ERR! info If you think this is a bug, please open a bug report with the information provided in "C:\\Builds\\6\\s\\packages\\<REMOVED>\\yarn-error.log".
2018-08-03T21:17:12.8857424Z lerna ERR! info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
2018-08-03T21:17:12.8857424Z lerna ERR! 
2018-08-03T21:17:12.8857424Z lerna ERR!     at Promise.all.then.arr (C:\Builds\6\s\node_modules\lerna\node_modules\execa\index.js:236:11)
2018-08-03T21:17:12.8857424Z lerna ERR!     at <anonymous>
2018-08-03T21:17:12.9482437Z lerna WARN complete Waiting for 1 child process to exit. CTRL-C to exit immediately.
2018-08-03T21:17:13.0732458Z { Error: Command failed: yarn install --mutex network:42424 --non-interactive
2018-08-03T21:17:13.0732458Z warning package.json: No license field
2018-08-03T21:17:13.0732458Z warning Waiting for the other yarn instance to finish (4048)
2018-08-03T21:17:13.0732458Z warning Waiting for the other yarn instance to finish (6896)
2018-08-03T21:17:13.0732458Z warning No license field
2018-08-03T21:17:13.0732458Z error An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \"401 Unauthorized\"".
2018-08-03T21:17:13.0732458Z [1/4] Resolving packages...
2018-08-03T21:17:13.0732458Z [2/4] Fetching packages...
2018-08-03T21:17:13.0732458Z info If you think this is a bug, please open a bug report with the information provided in "C:\\Builds\\6\\s\\packages\\<REMOVED>\\yarn-error.log".
2018-08-03T21:17:13.0732458Z info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
2018-08-03T21:17:13.0732458Z 
2018-08-03T21:17:13.0732458Z     at Promise.all.then.arr (C:\Builds\6\s\node_modules\lerna\node_modules\execa\index.js:236:11)
2018-08-03T21:17:13.0732458Z     at <anonymous>
2018-08-03T21:17:13.0732458Z     at process._tickCallback (internal/process/next_tick.js:188:7)
2018-08-03T21:17:13.0732458Z   code: 1,
2018-08-03T21:17:13.0732458Z   killed: false,
2018-08-03T21:17:13.0732458Z   stdout: '[1/4] Resolving packages...\n[2/4] Fetching packages...\ninfo If you think this is a bug, please open a bug report with the information provided in "C:\\\\Builds\\\\6\\\\s\\\\packages\\\\<REMOVED>\\\\yarn-error.log".\ninfo Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.\n',
2018-08-03T21:17:13.0732458Z   stderr: 'warning package.json: No license field\nwarning Waiting for the other yarn instance to finish (4048)\nwarning Waiting for the other yarn instance to finish (6896)\nwarning No license field\nerror An unexpected error occurred: "<INTERNAL_REGISTRY>/lodash.foreach/-/lodash.foreach-2.3.0.tgz: Request failed \\"401 Unauthorized\\"".\n',
2018-08-03T21:17:13.0732458Z   failed: true,
2018-08-03T21:17:13.0732458Z   signal: null,
2018-08-03T21:17:13.0732458Z   cmd: 'yarn install --mutex network:42424 --non-interactive',
2018-08-03T21:17:13.0732458Z   timedOut: false,
2018-08-03T21:17:13.0732458Z   exitCode: 1 }
2018-08-03T21:17:13.0888721Z error Command failed with exit code 1.
2018-08-03T21:17:13.0888721Z info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

1.7.X Version

2018-08-03T21:33:16.4477199Z [command]C:\Windows\system32\cmd.exe /D /S /C "C:\Builds\_tool\yarn\1.7.0\x64\yarn-v1.7.0\bin\yarn.cmd build"
2018-08-03T21:33:16.9633413Z yarn run v1.7.0
2018-08-03T21:33:17.0727225Z $ lerna clean && lerna bootstrap
2018-08-03T21:33:19.2509802Z lerna info version 2.11.0
2018-08-03T21:33:19.2509802Z lerna info versioning independent
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2666043Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.2978554Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.5478528Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.6728520Z lerna info clean removing <REMOVED>
2018-08-03T21:33:19.8759839Z lerna success clean finished
2018-08-03T21:33:20.5947225Z lerna info version 2.11.0
2018-08-03T21:33:20.5947225Z lerna info versioning independent
2018-08-03T21:33:20.6103497Z lerna info Bootstrapping 9 packages
2018-08-03T21:33:20.6103497Z lerna info lifecycle preinstall
2018-08-03T21:33:20.6415982Z lerna info Installing external dependencies
2018-08-03T21:33:23.1103303Z lerna info Symlinking packages and binaries
2018-08-03T21:33:23.1415791Z lerna info lifecycle postinstall
2018-08-03T21:33:23.1415791Z lerna info lifecycle prepublish
2018-08-03T21:33:23.1415791Z lerna info lifecycle prepare
2018-08-03T21:33:23.1415791Z lerna success Bootstrapped 9 packages
2018-08-03T21:33:23.1572133Z $ ts-node ./build/index.ts
2018-08-03T21:33:58.5218101Z Done in 41.54s.

Hey folks, I have a request for the people following this issue and using a private registry.

We're considering dropping the registry hostname from the lockfile. This would make it easier to switch from a private registry to another, but the downside is that all the registries need to use similar URLs (since the hostname wouldn't be part of the URL, we would just merge it at runtime with the active configuration).

Could you please help us to confirm in #5892 that this workflow would work for your private registry provider (or tell us if it wouldn't)? That would help us get the level of confidence needed to make this change. Thanks!

I'm experiencing issues with yarn publish not reading the auth token from my .npmrc as well. I'm running this on Ubuntu.

Versions

yarn - 1.9.4
npm - 5.5.1

~/.npmrc

Here's what my ~/.npmrc looks like (with token and registry obfuscated):

registry=http://myprivateregistry.net/
//myprivateregistry.net/:_authToken="myAuthToken"

Output

When I run yarn publish --noninteractive, I receive the following error:

yarn publish v1.9.4
[1/4] Bumping version...
info Current version: 2.1.3
[2/4] Logging in...
error No token found and can't prompt for login when running with --non-interactive.
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.

Debug steps

I've tried the following to no avail:

  • Copying ~/.npmrc to a local .npmrc in my project directory
  • Running yarn login with my credentials before running yarn publish

I've also verified that running npm publish makes it past the authentication step (it fails on the versioning step because it won't let me override the same version number. This is why I want to use yarn publish --non-interactive, because it allows for uploading, say, README changes with the same version number)

Is there something else I'm missing? Thanks!

@liuhelen10 Do yo have .yarnrc file inside your project? This worked for me with token stored inside ~/.npmrc

Example

$ cat .yarnrc 
registry "https://registry.npmjs.org/"

always-auth = true in .npmrc did the trick, not receiving 401 anymore while using Yarn.
Which makes not sense but whatever :)

this has been reported in 2017, it's 2019 now and this issue still exists.

Agreed, this still doesn't work.

.npmrc

always-auth=true
@somename:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=[token]

.yarnc

"@somename:registry" "https://npm.pkg.github.com/"

I am also getting an error with npm.pkg.github.com:

Integrity checked failed (none of the specified algorithms are supported

I am also getting an error with npm.pkg.github.com:

Integrity checked failed (none of the specified algorithms are supported

Getting this as well

I had the same problem using Nexus version 3, but solved using the approach mentioned by @plitex in this issue https://github.com/yarnpkg/yarn/issues/3093#issuecomment-317671597.

Put this content in the .npmrc file. You do not need to have any settings in the .yarnrc file.

always-auth=true
registry=https://nexus.server.com/repository/npm-group/
//nexus.server.com/repository/npm-group/:_authToken={AUTH_TOKEN}

yarn --version
1.17.3

npm --version
6.10.2

@nbransby, @revmischa: Also check out issue #7552, it might be that the error message is correct in this instance.

Two things that helped me:

  1. always-auth=true
  2. rm yarn.lock

I started getting this error on yarn 1.19.1. Before that yarn seemed to correctly pick up the registry and token information from .npmrc, but with 1.19.1, I had to add registry configuration in .yarnrc as well, otherwise I just got 401 errors.

Once that was done, it worked, and continued to pick up the token from .npmrc. Seems like a regression to me -- there doesn't appear to be any good reason to replicate the registry config from .npmrc to .yarnrc.

Like @rocketraman, soon as I've installed yarn 1.19.1, I've started experiencing 401s on when trying to install scoped packages from a private registry (nexus). npm install works fine.

Downgraded yarn and all working again:

curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.17.3

can confirm this is STILL an issue

Getting 401 errors when running yarn install

Request "https://npm.pkg.github.com/user/@scope/package" finished with status code 401.

where as npn install runs with zero issue

I've spent the last 2 hours debugging this issue and thanks to my friend @AndreiCalazans, I have a workaround.

Sharing here for anyone who might be struggling with similar.

Use Case

I'm deploying a project that uses yarn workspaces to Heroku. Even if I drop the yarn.lock and use npm install, the project is built with workspaces and _will not work at all_ without yarn.

The project relies on packages hosted on GitHub Packages and needs to authenticate against GitHub via a token.

The Problem

Heroku would see a yarn.lock and install dependencies with yarn, which would ignore a ~/.npmrc file that I create pre build.

Pre-build, I would run

echo "always-auth=true\n//npm.pkg.github.com/:_authToken=${GITHUB_NPM_TOKEN}\" >> ~/.npmrc",

This creates a file, ~/.npmrc, with this content:

always-auth=true
//npm.pkg.github.com/:_authToken=whatevermytokenis

yarn would flat out ignore this and fail when attempting to pull a dependency from GitHub package registry with 401 Unauthorized.

The Workaround

Andrei mentioned aliasing _just the org_ to use the GitHub registry, and _then_ adding the GitHub registry token under.

Essentially, changing the ~/.npmrc file slightly to add the following:

always-auth=true
+@MY_ORG:registry=https://npm.pkg.github.com/

//npm.pkg.github.com/:_authToken=whatevermytokenis

That solved everything and suddenly, yarn used the provided auth token for npm.pkg.github.com for any packages under @MY_ORG which was the GitHub org.

Whew! I hope this helps someone! ๐Ÿ’ž

This is still an issue!! NPM install runs without problems, yarn add
error Couldn't find package "@diligentcorp/atlas-react" on the "npm" registry. info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

On my windows machine, the problem was that the user folder with my user level .npmrc file was on a network drive. The local user folder on the machine did not have an .npmrc file, but yarn seems to look in this folder. Copying the .npmrc from the network drive to the local user folder fixed the problem (an authentication token was stored in the user level .npmrc).

I discovered that by accident after typing "cd ~" into my git bash and it switched to the remote home folder (which I never use).

@TejasQ Workaround did not work for me.

I'm also using GitHub Packages.
Still getting 401 unauthorized even though it works perfectly well with npm

I managed to make it work with yarn v1.22.0

.npmrc

always-auth=true
@fortawesome:registry=https://npm.fontawesome.com
//npm.fontawesome.com/:_authToken=xyz-xyz-xyz-xyz

.yarnrc

"@fortawesome:registry" "https://npm.fontawesome.com"

registry "https://some-regular-registry.org"

and then execute: yarn add @fortawesome/fontawesome-pro

Happening to me too, I was hoping I could get it to work with only .npmrc, but it only works when adding .yarnrc, so we have to duplicate the config just for yarn.

I think this is what I'm running into. It works when .npmrc is in the home directory, but not in the project directory (needed for jenkins/travis).
https://github.com/yarnpkg/yarn/issues/8034

Make sure you don't have /name after the registry when setting the scoped one:

- @4r7d3c0:registry=https://npm.pkg.github.com/4r7d3c0
+ @4r7d3c0:registry=https://npm.pkg.github.com

As per doc, registry=https://npm.pkg.github.com/OWNER, I overlooked that the owner doesn't need to be there when setting the scope. NPM could handle it, but yarn couldn't.

For those who use aliases check this workaround: https://github.com/yarnpkg/yarn/issues/8130#issuecomment-636281053

Had to split user-level .npmrc and project-level .npmrc to make yarn respect GitHub package tokens. Moving named registry declarations from user-level to project-level was the key

Contents of ~/.npmrc

_auth=#####TOKEN_FOR_ARTIFACTORY#####
always-auth=true
registry=https://artifactory.mycompany.net/artifactory/api/npm/npm/
//npm.pkg.github.com/:_authToken=####GitHub_NPM_REGISTRY_TOKEN#####

Contents of ~/projects/blah/.npmrc

@mycompany:registry=https://npm.pkg.github.com

Until i moved the ^ named family package registry entry to project-level .npmrc, yarn install was giving me 401 (for GH-hosted packages under @mycompany). Now it does not.

For Docker build mount them separately:

base.Dockerfile:

# syntax=docker/dockerfile:1-experimental
## ^ need to enable --mount=type=secret support

ARG BASE_IMAGE
FROM ${BASE_IMAGE} as build

# note that only project-level .npmrc is copied
COPY package.json yarn.lock .npmrc ./

# ~/.npmrc with actual secrets is mounted as "secret" (does not stay in image)
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc,required \
    yarn install --production --frozen-lockfile ...

Docker build command:

DOCKER_BUILDKIT=1 docker build \
        --build-arg BASE_IMAGE=$(BASE_IMAGE) \
        --secret id=npmrc,src="$(HOME)/.npmrc" \
        -t $(IMAGE_NAME):$(IMAGE_TAG) \
        -f base.Dockerfile .

_(Note, that i did NOT need .yarnrc for this to work, but i am on yarn 1.17.3 so things may be different for other versions)_

I've digged a little bit arround and it seems yarn uses the wrong auth credentials.

~/.npmrc

//npm-old.visualon.de/npm/vo-npm/:_password=XXXXXX
//npm-old.visualon.de/npm/vo-npm/:username=kriese
//npm-old.visualon.de/npm/vo-npm/:always-auth=true

//npm-new.visualon.de/:_authToken="XXXXXX"

package.json

{
  "name": "yarn-auth",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "tslib": "^2.0.1",
    "moment": "2.20.1"
  }
}

yarn.lock

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


[email protected]:
  version "2.20.1"
  resolved "https://npm-old.visualon.de/npm/vo-npm/moment/-/moment-2.20.1.tgz#d6eb1a46cbcc14a2b2f9434112c1ff8907f313fd"
  integrity sha1-1usaRsvMFKKy+UNBEsH/iQfzE/0=

tslib@^2.0.1:
  version "2.0.1"
  resolved "https://npm-new.visualon.de/tslib/-/tslib-2.0.1.tgz#410eb0d113e5b6356490eec749603725b021b43e"
  integrity sha512-SgIkNheinmEBgx1IUNirK0TUD4X9yjjBRTqqjggWCU3pUEqIk3/Uwl3yRixYKT6WjQuGiwDv4NomL3wqRCj+CQ==

While trying to install yarn sends the bearer token from npm-new.visualon.de to npm-old.visualon.de. So it semms yarn only compares the base domain.

If anyone still faces it, this is what worked for me.

.npmrc:
always-auth=true
@orgaccount:registry=https://npm.pkg.github.com
registry=https://registry.yarnpkg.com

https://npm.pkg.github.com/:_authToken=yyyyjjjjj3333888etc

Not sure if anyone faces a similar problem, but maybe this will help someone save a bit of time:

I am using Azure Artifacts as a private registry and had set up the PAT and .npmrc files as documented there.
Nevertheless, I was running into the same issue that npm install was working perfectly, but yarn install runs into the 401 Error all the time.
After a bit of try and error It turned out the I had a special character in my Registry URL (...@Local/...) but Azure Artifacts resolves this to the Unicode representation within their setup guide. npm handles this just fine, yarn not so much. Setting the actual @ character in the URL, solved my problem.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

catkins picture catkins  ยท  3Comments

chiedo picture chiedo  ยท  3Comments

baptistelebail picture baptistelebail  ยท  3Comments

danez picture danez  ยท  3Comments

FLGMwt picture FLGMwt  ยท  3Comments