We Keep Coding

How to publish a scoped npm package to gitlab's package registry in a group namespace via a CI/CD pipeline

I have a private dummy project in gitlab which I want to publish to gitlab's package registry. My dummy project contains four files:
package.json
{
"name": "#<my-group>/<my-project>",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url": "git+https://gitlab.com/<my-group>/<my-project>.git"
},
"keywords": [],
"author": "",
"license": "ISC",
"bugs": {
"url": "https://gitlab.com/<my-group>/<my-project>/issues"
},
"homepage": "https://gitlab.com/<my-group>/<my-project>#readme"
}
.gitlab-ci.yml
image: node:latest
stages:
- deploy
deploy:
stage: deploy
script:
- echo "#<my-group>:registry=https://${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/">.npmrc
- echo "//${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}">>.npmrc
- npm publish
index.js
console.log('success');
README.md
<my-project>
When I commit my project to gitlab, the job fails with the following output
npm notice package: #<my-group>/<my-project>#1.0.0
npm notice === Tarball Contents ===
npm notice 8B README.md
npm notice 20B index.js
npm notice 612B package.json
npm notice === Tarball Details ===
npm notice name: #<my-group>/<my-project>
npm notice version: 1.0.0
npm notice filename: <my-group>-<my-project>-1.0.0.tgz
npm notice package size: 475 B
npm notice unpacked size: 640 B
npm notice shasum: 7b3db...
npm notice integrity: sha512-xDv0dl9A86...
npm notice total files: 3
npm notice
npm notice Publishing to https://gitlab.com/api/v4/projects/<my-project-id>/packages/npm/ with tag latest and default access
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://gitlab.com/api/v4/projects/<my-project-id>/packages/npm/#<my-group>%2f<my-project> - insufficient_scope
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.
NOTE:
I have replaced the actual group name, project name and project id with <my-group>, <my-project>, and <my-project-id> in the code sections above.
I have followed gitlab's official documentation on setting this up (see https://docs.gitlab.com/ee/user/packages/npm_registry/) and believe that I can safely rule out the following:
I have made sure that Package registryis enabled in the project setup
I followed naming convention as described in the documentation
I am using a CI_JOB_TOKEN which should always be valid and should have appropriate permissions.
I made sure that there is no other package with the same name or version within the given scope.
I have made sure that the scoped package's URL includes a trailing slash (see gitlab-ci.yml above)
I have confirmed the path of the <my-group> namespace querying https://gitlab.com/api/v4/groups (just to make sure that the root namespace is correct)
I have used npm init --scope=#<my-group> --yes for initialization
The url of the repository is indeed: https://gitlab.com/<my-group>/<my-project>/
Any help on getting this to work would be much appreciated.

After changing from a job token ${CI_JOB_TOKEN} to a deploy token ${CI_DEPLOY_PASSWORD}, I was able to publish to the registry.
See Predefined variables reference for more info on predefined variables.
Gitlab deploy tokens can be created for projects under Settings > Repository > Deploy tokens with the following scopes: read_repository, read_package_registry, write_package_registry

How to ignore a package during npm audit?

My npm audit report shows handsontable as "no fix available".
I am trying to ignore the handsontable package by running npm audit --ignore handsontable or npm audit --ignore=handsontable
It is not ignoring the package.
Is there any flag to ignore certain packages during npm audit and npm audit fix

As of today, 21 Sept 2022, npm audit has 2 ways to filter vulnerabilities:
audit-level - sets the minimum level of vulnerability for npm audit to exit with a non-zero exit code.
omit - selects dependency types (dev/prod) to omit from the installation tree on disk.
You can see more about npm audit flags here.
There is no way to ignore specific vulnerabilities yet. I believe npm will have it soon, the discussion is still ongoing.
I recommend you to use the npm package better-npm-audit. Link here.
You can create a file .nsprc and ignore vulnerabilities by ID, CWE ID or GHSA ID as shown below:
{
"1337": {
"active": true,
"notes": "Ignored since we don't use xxx method",
"expiry": 1615462134681
},
"4501": {
"active": false,
"notes": "Ignored since we don't use xxx method"
},
"CWE-471": "CWE ID is acceptable",
"GHSA-ww39-953v-wcq6": "GHSA ID is acceptable",
"https://npmjs.com/advisories/1213": "Full or partial URL is acceptable too"
}

How do I install MathJax in GitBook?

I tried to install MathJax in GitBook with npm install mathjax#2.7.6.
$ npm install mathjax#2.7.6
npm WARN ml No description
npm WARN ml No repository field.
npm WARN ml No license field.
+ mathjax#2.7.6
updated 1 package and audited 1 package in 3.464s
found 0 vulnerabilities
I added the following codes to package.json.
"private": true,
"repository": {
"type": "git",
"url": "git://github.com/mathjax/MathJax.git"
},
Now the situation is,
$ npm install mathjax#2.7.6
+ mathjax#2.7.6
updated 1 package and audited 1 package in 4.6s
found 0 vulnerabilities
However it raised the error if (args[ii] == null) throw missingRequiredArg(ii) while running gitbook install.
info: installing plugin "mathjax-pro"
info: install plugin "mathjax-pro" (*) from NPM with version 0.0.6
C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\node_modules\aproba\index.js:25
if (args[ii] == null) throw missingRequiredArg(ii)
^
Error: Missing required argument #1
at andLogAndFinish (C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\lib\fetch-package-metadata.js:31:3)
at fetchPackageMetadata (C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\lib\fetch-package-metadata.js:51:22)
at resolveWithNewModule (C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\lib\install\deps.js:490:12)
at C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\lib\install\deps.js:491:7
at C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\node_modules\iferr\index.js:13:50
at C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\lib\fetch-package-metadata.js:37:12
at addRequestedAndFinish (C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\lib\fetch-package-metadata.js:67:5)
at returnAndAddMetadata (C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\lib\fetch-package-metadata.js:121:7)
at pickVersionFromRegistryDocument (C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\lib\fetch-package-metadata.js:138:20)
at C:\Users\SU\.gitbook\versions\3.2.3\node_modules\npm\node_modules\iferr\index.js:13:50 {
code: 'EMISSINGARG'
}
How do I install MathJax in GitBook?

Problems trying to install using npm: "core-js#<3 is no longer maintained"

I've been following along with a web dev tutorial and I'm stuck at this part: https://btholt.github.io/intro-to-web-dev-v2/libraries#building-your-code
I've been trying for a couple of days to install parcel-bundler and can't figure out what I'm doing wrong. I also tried Prettier and get the same errors. I'm so frustrated and running out of ideas.
I'm running npm 6.14.4 and node 12.16.2.
This is the error npm install -g parcel-bundler in Users/myName (Catalina 10.15):
npm WARN deprecated core-js#2.6.11: core-js#<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js#3.
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
/Users/myName/.node_modules_global/bin/parcel -> /Users/myName/.node_modules_global/lib/node_modules/parcel-bundler/bin/cli.js
> parcel-bundler#1.12.4 postinstall /Users/myName/.node_modules_global/lib/node_modules/parcel-bundler
> node -e "console.log('\u001b[35m\u001b[1mLove Parcel? You can now donate to our open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/parcel/donate\u001b[0m')"
Love Parcel? You can now donate to our open collective:
> https://opencollective.com/parcel/donate
+ parcel-bundler#1.12.4
updated 1 package in 18.055s
And if I try to run parcel --help I'm told: -bash: parcel: command not found
So I try to fix that first warning. I list the links to the SO articles that I tried at the bottom. I tried deleting node_modules in home directory and doing npm install again. I tried npm install --save core-js#^3. I tried doing a forced clean cache and reinstalling. I tried npm update.
This is my package.json:
{
"name": "generic_package", <-- manually changed from myName
"version": "1.0.0",
"description": "Test description", <-- manually added to remove "no description" error
"main": ".mongorc.js",
"dependencies": {
"core-js": "^3.6.5", <-- looks like it's using >3v
"lodash": "^4.17.15",
"parcel-bundler": "^1.12.4", <-- looks like it's there??
"prettier": "^2.0.4"
},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"build": "node build/build.js" <-- manually added as per an SO article
},
"keywords": [],
"author": "",
"license": "ISC",
"repository": { <-- manually added this object as per an SO article
"type": "git",
"url": "https://github.com/npm/npm.git",
"private": true <-- manually added as per another SO article
}
}
Error: Please, upgrade your dependencies to the actual version of core-js#3
npm WARN deprecated core-js#2.6.11: core-js#<3 is no longer maintained and not recommended for usage due to the number of issues
npm WARN deprecated core-js#2.6.11
How to update core-js to core-js#3 dependency?
Problems installing express using npm.

The reason for the message npm WARN deprecated core-js#2.6.11: core-js#<3 is no longer maintained is because parcel-bundler has a transitive dependency on core-js#2.6.11, which is no longer supported.
It appears that parcel was installed correctly, so you should be able to run it. On Linux systems, it would have created a symlink under /usr/local/bin/parcel. Make sure that "/usr/local/bin" is in your PATH.
You can also run it as follows:
npm run-script parcel
On newer versions of NPM, you can run this:
npx parcel

how to solve:npm run build/dev: missing script?

I'm trying to run node, but for some reason the local npm install of node isn't working.
The package is there:
$ npm run dev npm ERR! Darwin 15.4.0
npm ERR! argv "/usr/local/Cellar/node/5.6.0/bin/node" "/usr/local/bin/npm" "run" "jshint"
npm ERR! node v5.6.0
npm ERR! npm v3.6.0
npm ERR! missing script: dev
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR! /Users/me/workspace/testapp/npm-debug.log
I can work with npm install, but run npm dev is not correct.

You saw that error because there was probably not a script named dev in the "scripts" section of your package.json
npm install and npm run dev are two completely different ideas
npm install will run through dependencies section of the package.json and fetch/install the modules in that list
npm run dev will check the scripts section of the package.json and try to find a script titled "dev" and if there is no script named "dev" it will error out as you experienced (Dev is absolutely not a special word by the way, if you ever need to use the scripts section in a future project you can name the scripts anything you want.)
As an example, make a new folder and copy the following into a file named package.json inside of it
{
"name": "testapp",
"version": "1.0.0",
"description": "",
"scripts": {
"dev": "echo This is the DEV script",
"abc": "echo This is the abc script",
"xyz": "echo This is the xyz script",
"start":"echo This is the special start script"
}
}
From your terminal, cd into the directory you made containing that sample package.json and try the following commands and see what happens:
npm run dev you should see on your screen "This is the dev script"
npm run abc you see on your scree "This is the abc script"
npm run xyz you should see on your screen "This is the xyz script"
npm run linkxu1989 you should see on your screen a similar error to what you saw above since there's no script named "linkxu1989" in the scripts part of the package.json
npm start you should see on your screen "This is the special start script" (Note that start IS a special name. You can run with just npm start or with npm run start like all the others`
Bottom line: Check the "scripts" section of package.json and to run any of them just enter npm run SCRIPT_NAME
Hope that helps and good luck w/ NPM!
See here for more details
https://docs.npmjs.com/getting-started/using-a-package.json
http://browsenpm.org/package.json (don't worry about understanding everything in it, all you should think about at this point is what's in "dependencies"
http://jsonlint.com/ (If you ever manually edit a package.json, run it through this checker to help catch any formatting mistakes. The package.json is a "json" file so it needs to be in a PERFECT format which means no trailing commas, double quotes only, etc etc)
http://www.w3schools.com/js/js_json_syntax.asp

It means in your “package.json” (in the folder in which you run “npm run build”), there’s NO “build” script. A quick check: run “npm run lalala” in your terminal/command prompt. It will show “missing script: lalala”.
So if it’s your package, add the “build” script. Just go to the package.json in your code editor and add the key value entry as JSON.
If it’s a module/package you downloaded from npmjs.org, then refer to the documentation to see what command they support.
Note: “npm build” is a completely different command from “npm run build”. All “scripts” commands except start and test need to be run with “run”.