I am attempting to configure a project to install dependencies from NPM. I will be publishing the project to GitHub Packages as a private package. If I use this syntax in my project's .npmrc:
@my-org:registry=https://npm.pkg.github.com/
I can install dependencies from NPM using npm install on my local machine. However, I cannot publish to GitHub Packages using npm publish. NPM informs me that I'm not authenticated. If I use this syntax in my project's .npmrc:
registry=https://npm.pkg.github.com/my-org/
I can publish using npm publish, but I cannot install dependencies with npm install. NPM informs me that it's trying to install dependencies from GitHub Packages, rather than NPM.
Based on my reading, both syntaxes should be compatible with npm install and npm publish. However, it appears I can only use one or the other, based on my intended use.
Install Node v15.7.0 and NPM 7.4.3 via nvm.
Log in to GitHub Packages with the command:
npm login --scope=@my-org --registry=https://npm.pkg.github.com
Check our ~/.npmrc file in our home folder. It should read:
@my-org:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=<auth-token-used-for-login>
Create project with the following package.json:
{
"name": "@my-org/my-package",
"description": "A test.",
"version": "1.0.0",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url": "https://github.com/my-org/my-package.git"
},
"keywords": ["example"],
"author": "Me",
"license": "ISC",
"bugs": {
"url": "https://github.com/my-org/my-package/issues"
},
"homepage": "https://github.com/my-org/my-package",
"dependencies": {
"bootstrap": "^4.5.2"
}
}
Add the following .npmrc to our project:
@my-org:registry=https://npm.pkg.github.com/
Run npm install. Installation should succeed.
Run npm publish. Receive the following error:
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/my-user/.npm/_logs/2021-01-28T20_19_55_974Z-debug.log
Change the project .npmrc to:
registry=https://npm.pkg.github.com/my-org/
Run npm publish. Publishing should succeed.
rm -rf node_modules/ package-lock.json in project.
Run npm install. Receive following error:
npm ERR! code E401
npm ERR! Incorrect or missing password.
npm ERR! If you were trying to login, change your password, create an
npm ERR! authentication token or enable two-factor authentication then
npm ERR! that means you likely typed your password in incorrectly.
npm ERR! Please try again, or recover your password at:
npm ERR! https://www.npmjs.com/forgot
npm ERR!
npm ERR! If you were doing some other operation then your saved credentials are
npm ERR! probably out of date. To correct this please try logging in again with:
npm ERR! npm login
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/my-user/.npm/_logs/2021-01-28T20_38_20_711Z-debug.log
publishConfigUnfortunately, publishConfig doesn't fix the issue. It also doesn't address that the two .npmrc syntaxes produce different results.
.npmrc authTokenNPM's documentation states there is no need to include the authToken in the project .npmrc. Authenticating with npm login and storing the authToken in the global ~/.npmrc should be sufficient.
--registry command line flagI've found a workaround until the NPM bug affecting this issue is resolved. When using the following project .npmrc syntax:
@my-org:registry=https://npm.pkg.github.com/
If I run npm publish --registry=https://npm.pkg.github.com/, I can publish successfully. In addition, I can install dependencies without issue.
I found 2 problems in steps from 1 to 7.
package.json "publishConfig": {
"registry": "https://npm.pkg.github.com/"
}
.npmrc in step 5, I didn't see //npm.pkg.github.com/:_authToken=<auth-token-used-for-login>, remember // is not the comment. ; or # are for comments. https://docs.npmjs.com/cli/v6/configuring-npm/npmrc#commentsThis has been fixed in NPM 7.5.3 and above.
This has been confirmed as a bug on NPM 7.x. The team is currently working to fix the bug with their GitHub Pull Request #2602. Until this bug fix has been released, the best recommendation is to do one of the workarounds listed below.
--registry command line flagWhen running npm publish, add the --registry flag. This flag enables developers to specify the registry they're aiming to publish to, overriding .npmrc or package.json configurations. For the example listed in my question, the project .npmrc should contain:
@my-org:registry=https://npm.pkg.github.com/
Publishing will succeed when initiated by running:
npm publish --registry=https://npm.pkg.github.com/
According to npm developer wraithgar's comment on this bug's GitHub issue, you can use a dummy token for the default NPM registry to workaround this issue. In our project's .npmrc, add the following line:
//registry.npmjs.org/:_authToken=dummy
The full project .npmrc should contain:
//registry.npmjs.org/:_authToken=dummy
@my-org:registry=https://npm.pkg.github.com/
In the question, neither of the project .npmrc syntax's we've tried to use has designated a registry, because NPM's documentation states we don't have to. The documentation states that it'll check our global ~/.npmrc if there isn't one in our project .npmrc. The bug in NPM is causing NPM to check if a project .npmrc has designated a registry before it'll attempt to authenticate. In wraithgar's own words:
What happens is that currently the cli is only looking for your configured "registry" setting when seeing if you have logged in. So the temporary solution is either to override that setting (as you were doing by passing --registry), OR to add a token for the default (npm) registry so that the check for a token does not fail. The check is only looking for the presence of a token in the config, it's not validating it (that of course will happen when and if it is used during an actual request), so putting a dummy value in will stop the error until that PR lands.
After adding the dummy token, running npm publish and npm install should both succeed.