Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] npm authentication #77

Closed
evantahler opened this issue Apr 21, 2021 · 3 comments
Closed

[FEATURE] npm authentication #77

evantahler opened this issue Apr 21, 2021 · 3 comments

Comments

@evantahler
Copy link

evantahler commented Apr 21, 2021
edited
Loading

What / Why

We use pacote to check the latest tag version on NPM to let people know if they are running an old version of our packages (https://www.grouparoo.com/docs/support/upgrading-grouparoo#determining-if-there-are-updates). Everything works fine for public NPM packages, but we cannot check on private packages. It would be great if there was a way to use local or user-level NPM authentication tokens from .npmrc files with pacote to check on these private packages.

When

Every time the manifest for a private package is checked

Where

Both programmatically and on the CLI:

# public package
pacote manifest @grouparoo/core | jq .version
"0.2.12"
# Private package (it's ok, we announce this package exists)
pacote manifest @grouparoo/ui-enterprise | jq .version
HttpErrorGeneral: 404 Not Found - GET https://registry.npmjs.org/@grouparoo%2fui-enterprise - Not found

How

...

Current Behavior

404'd

Expected Behavior

Maybe something like this:

import pacote from "pacote";

  const manifest: { name: string; version: string } = await pacote.manifest(
    `${plugin.name}@${tag}`, 
     { _authToken: 'abc123' }
  );

Who

Everyone!

References

nope.
@evantahler evantahler mentioned this issue Apr 21, 2021
Merged
@fraxken
Copy link
Contributor

fraxken commented Jun 6, 2021

Hello @evantahler

There is a token option to authenticate the request (it take an npm access token). For CLI however i don't know.

This was referenced Jun 23, 2021
Closed
Closed
@benwiggins
Copy link

benwiggins commented Sep 10, 2021
edited
Loading

We ran into the same 404 issue after updating our dependencies and discovering newer supposedly semver-compliant pacote builds 404 and older builds do not.

npm-registry-fetch 10.0.0 introduced breaking changes around auth scopes, and these breaking changes were brought over to pacote between 11.3.1 and 11.3.2.

A top level _auth, _authToken, username, _password, or
password option is no longer respected if not scoped to a given
registry URL.

We have hacked around it by changing eg.:

const opts = { token: process.env.NPM_AUTH_TOKEN }

to

const opts = { "//registry.npmjs.org/:_authToken": process.env.NPM_AUTH_TOKEN }

@raineorshine raineorshine mentioned this issue Jan 2, 2022
Closed
3 tasks
@wraithgar
Copy link
Member

the scoped auth config is the solution here. it is not safe to pass the same auth token to every host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wraithgar @evantahler @fraxken @benwiggins