Azure Devops: Sudden failure of NPM package download - npm

Since 2 days a download/install (no changes to the env at all) fails in my azure devops pipeline:
npm ERR! code E404 npm ERR! 404 Not Found - GET
https://pkgs.dev.azure.com/.../NPM-Mirror/npm/registry/esprima-fb/-/esprima-fb-15001.1001.0-dev-harmony-fb.tgz
Cannot find the package 'esprima-fb' in feed '' npm ERR! 404 npm ERR! 404
'esprima-fb#https://pkgs.dev.azure.com/.../NPM-Mirror/npm/registry/esprima-fb/-/esprima-fb-15001.1001.0-dev-harmony-fb.tgz'
is not in this registry. npm ERR! 404 You should bug the author to
publish it (or use the name yourself!) npm ERR! 404 npm ERR! 404 Note
that you can also install from a npm ERR! 404 tarball, folder, http
url, or git URL.
which basically points to that package here:
https://www.npmjs.com/package/esprima-fb/v/15001.1001.0-dev-harmony-fb
The package was last changed 7 years ago and worked fine until Wednesday of this week (even the underlying source was not changed for a while).
I tried Node version 16 and 17, both have same effect.
I tried to install the package by
- task: Npm#1
displayName: 'NPM: install'
inputs:
command: 'ci'
workingDir: 'path/'
and
- task: Npm#1
displayName: 'NPM: install'
inputs:
command: 'install'
workingDir: 'path/'
none worked.
I've recognized that this version of the package is not downloaded to the Azure Artifacts Upstream Archive (only an older version is available).
Tried to recreate another Feed, also no effect. Tried to add the dependency directly into the package.json file - all showed no effect at all.
Do you have any idea how to fix that problem? I ran out of ideas.

Azure DevOps feed for npm package sometimes throws incorrect HTTP status code when encountering authentication issue (it should be 401 instead of 404).
Typically npm install issues with Azure DevOps relies on an expired PAT token into your project's .npmrc file.
To be sure npm is always hitting npmjs.org for public packages, I'd suggest scoping your private packages (the ones coming from Azure DevOps feed) and defining the npmjs.org registry for all the others.
#[your_private_package_scope]:registry=[your_feed_url]
registry=https://registry.npmjs.org/

Related

DevOps local npm ajv version has been deleted

We have an issue with devops upstream npm feed. We built and deployed our angular app a few month ago with no issues. We are now trying to build the project but its complaining the below error. This seems to be because the locally stored version of the upstream npm package, ajv version 6.12.6 has been deleted; due to a retention policy. We are unable to get it back, does anyone know how we get it back?
npm ERR! code E404
npm ERR! 404 Not Found - GET https://tfs.pkgs.visualstudio.com/_packaging/myproject/npm/registry/ajv/-/ajv-6.12.6.tgz - Cannot find the package 'ajv' in feed 'npm_***'
npm ERR! 404
npm ERR! 404 'ajv#https://tfs.pkgs.visualstudio.com/_packaging/myproject/npm/registry/ajv/-/ajv-6.12.6.tgz' is not in this registry.
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
The artifact view shows the below:
Update:
It would seem that there is no way to correct this! as mentioned here https://developercommunity.visualstudio.com/t/deleted-versions-of-upstream-packages-cannot-be-re/1620100
Fairly poor thought on DevOps part! So currently we are now pointing to the standard npm package url (https://registry.npmjs.org/) and not the dev ops artifact one; in order to get it to build again!
As you know, Azure DevOps feed has a immutability constraint. So there doesn't have any way to add the same version in the true sense at this moment.
Currently available methods are:
1, Create a new feed and download the package via this feed.
2, Download the package change the package info and publish to Artifact feed(As another package.)
3, Directly use the public source.
There is a suggestion ticket about this feature in official community:
Relax Azure Artifacts restriction on re-publishing versions
You can upvote this suggestion ticket and share your ideas in it.

Can't install a scoped package I published to a npm registry in GCP

I published several npm packages to a private npm registry hosted in GCP and I can see all versions in the registry. Yet I can't download the package since the install command throws an E404.
NPM throws a generic 404 Error when trying to download the page:
npm ERR! code E404
npm ERR! 404 Not Found - GET https://europe-north1-npm.pkg.dev/[Project]/#[scope]/[packagename]/-/#[scope]/[packagename]-0.1.0.tgz
npm ERR! 404
npm ERR! 404 '#[scope]/[packagename]#https://europe-north1-npm.pkg.dev/[Project]/#[scope]/[packagename]/-/#[scope]/[packagename]-0.1.0.tgz' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
Opening the url that is tring to resolve returns this error:
{"error":"Permission \"artifactregistry.repositories.downloadArtifacts\" denied on resource \"projects/[Project]/locations/europe-north1/repositories/#[scope]\" (or it may not exist)"}
{"error":"Unmatched scope name: \"\" != \"#[scope]\""}
Additonally, I checked and my account does in fact have to downloadArtifacts role.
I can't figure out why it's unable to resolve the URL since with the same config I'm able to both publish and even run npm view the package.
I've tried creating brand new packages, specifying a version, resetting the auth token and yet for some reason I'm still unable to download packages.
If it helps, my current .npmrc file looks like this:
registry:https://registry.npmjs.org/=true
#[scope]:registry=https://europe-north1-npm.pkg.dev/[project]/[repo name]/
//europe-north1-npm.pkg.dev/[project]/[repo name]/:_authToken=[gcp auth token]
//europe-north1-npm.pkg.dev/[project]/[repo name]/:always-auth=true
//registry.npmjs.org/:_authToken=[npm auth token]
Turns out this was not a GCP specific issue, but a Yarn Berry issue when publishing to GCP.
The tarballURL that is being generated uses a truncated registry URL which is why i was getting a 404 when trying to install the package.
A fix for this was proposed here.
https://github.com/yarnpkg/berry/pull/3513
I had an error similar to this one.
I did the entire repository creation process and created a new project to test the package.
When I tried npm install my-package I got a 404 error.
After some tests I discovered that I need the .npmrc file also in the project that will consume the package. It may seem kind of obvious to some people but I didn't know.
Add the returned configuration settings to the .npmrc configuration file in your Node.js projects. This file is usually in the same directory as package.json.
Make sure that you include these settings in Node.js projects for packages that you publish as well as projects that will install dependencies from your npm repository.
Set up authentication for npm

JFrog private registry fails to npm install

I'm having issues with JFrog NPM private repositories.
In our CI we configure the npm private registry and then do npm install like this:
- npm_private_registry https://DOMAIN.jfrog.io/DOMAIN/api/npm/npm-virtual/ $TOKEN
- npm install
This code works perfectly fine when we use the node:12.13.1 Docker image.
Our problem is that as soon as we change the image to a newer one, let's say node:12.16.1 then the npm install command fails.
We then get the following errors:
$ npm install
(wd=/builds/DOMAIN/APP)
npm WARN tar ENOENT: no such file or directory, open '/builds/DOMAIN/APP/node_modules/.staging/react-icons-921e2ffa/go/package.json'
npm WARN tar ENOENT: no such file or directory, open '/builds/DOMAIN/APP/node_modules/.staging/intl-58a6f707/locale-data/jsonp/gsw-FR.js'
...
...
...
npm ERR! Response timeout while trying to fetch https://DOMAIN.jfrog.io/DOMAIN/api/npm/npm-virtual/next (over 30000ms)
We tried various approaches already, but haven't been able to figure anything out just yet.
Does anyone have an idea where to start?
The issue seems quite generic. How is it possible to get timeouts on one version of the node image and no issues on another?
Thank you!
Seems like this link https://github.com/npm/cli/issues/1151 offers some explanation. The timeout got hardcoded down to 30000 ms in npm 16.4.0 via npm-registry-fetch. This has now been reverted to not timeout again https://github.com/npm/npm-registry-fetch/commit/fc5d94c39ca218d78df77249ab3a6bf1d9ed9db1. This fix is in 6.14.5 of npm https://github.com/npm/cli/releases/tag/v6.14.5.
In terms of default npm with node versions this means, releases 12.16.2 and 12.16.3 of node contain this problem via npm 6.14.4.

How can I authenticate a npm registry with azure devops build pipeline?

I have an app I'm creating a build pipeline for in Azure DevOps. It uses npm packages which are in a private npm registry (with code created from a different Azure DevOps organisation). When I run npm ci (or npm install) it fails with the following error:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/b2d01466-6e2c-4b55-8b90-e3ed41afca4a, Basic realm="https://pkgsproduks1.pkgs.visualstudio.com/", TFS-Federated
The specific packages which fail are the ones from the other organisation, which return a 401 when trying to get them.
I thought the best practice to authenticate this was to create a Service Connection within Azure DevOps. I've created a Personal Access Token within the organisation which hosts the npm packages, and used it to create a Service Connection in the organisation which contains my build pipeline. I then included it in my build pipeline yaml as follows:
- task: Npm#1
displayName: Install npm packages
inputs:
command: 'ci'
workingDir: 'Path/To/Working/Directory'
customEndpoint: 'Custom npm registry'
I've also tried using the npm authenticate build step before this (both with and without the customEndpoint: 'Custom npm registry' in the install step) and while the npm authenticate runs successfully it doesn't make any difference to the error I'm getting. I've also tried setting up the Service Connection to use my username and password rather than a PAT, but that made no difference either.
The .npmrc within my project is as follows (modified slightly):
registry=https://registry.npmjs.org/
#{scope}:registry=https://pkgs.dev.azure.com/{organisation}/_packaging/{feedName}/npm/registry/
#{scope}:always-auth=true
Can anyone see what's wrong with the authentication, or link to an article giving an example of doing this across multiple Azure DevOps organisations?
I just killed a few hours troubleshooting a similar NPM authentication issue with a hosted build agent for Azure DevOps.
I did have the NPM Authenticate job in the pipline, and I was still experiencing this error:
npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR! npm login
As it turned, the project had a mixture of https://pkgs.dev.azure.com/<myorg>/_packaging and https://<myorg>.pkgs.visualstudio.com/_packaging (the legacy URL for the same NPM registry) in scattered .npmrc files.
Making them all to consistently use https://pkgs.dev.azure.com/<myorg>/_packaging had solved my problem.
The .npmrc should look like:
registry=https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feed}/npm/registry/
#{scope}:registry=https://pkgs.dev.azure.com/{otherorganization}/_packaging/{feed}/npm/registry/
#{otherscope}:registry=https://{thirdPartyRepository}/npm/registry/
always-auth=true

resolving NPM packages from a Bintray repo

I've created a private NPM repository on Bintray. I've added the necessary authentication credentials to ~/.npmrc by running
curl -u BINTRAY_USER:BINTRAY_API_TOKEN
https://api.bintray.com/npm/my-company/npm/auth/scope/my-company > ~/.npmrc
I've successfully deployed version 1.0.0 of a package named foo to this NPM repo, and have added it as a dependency to another project's `package.json
"dependencies": {
"#my-company/foo": "1.0.0"
}
But when I run npm install in this project, I get a 404 error
npm ERR! code E401
npm ERR! 401 Unauthorized: #my-company/foo#1.0.0
I can see that version 1.0.0 of foo has deployed when I login to the Bintray app, so why is resolution failing?
401 Unauthorized error usually occurs when wrong user id or credentials use.
it could be cache issue anyhow you can try run npm cache clean first and then re-run npm install or you can try with npm install -verbose which will show more information.
For the reference, the following .npmrc file works:
#my-company:registry=api.bintray.com/npm/my-company/npm
//api.bintray.com/npm/my-company/npm/:_authToken=BINTRAY_API_TOKEN
//api.bintray.com/npm/my-companyl/npm/:username=my.username
//api.bintray.com/npm/my-company/npm/:email=my#email.com
//api.bintray.com/npm/my-company/npm/:always-auth=true