resolving NPM packages from a Bintray repo - npm

I've created a private NPM repository on Bintray. I've added the necessary authentication credentials to ~/.npmrc by running
curl -u BINTRAY_USER:BINTRAY_API_TOKEN
https://api.bintray.com/npm/my-company/npm/auth/scope/my-company > ~/.npmrc
I've successfully deployed version 1.0.0 of a package named foo to this NPM repo, and have added it as a dependency to another project's `package.json
"dependencies": {
"#my-company/foo": "1.0.0"
}
But when I run npm install in this project, I get a 404 error
npm ERR! code E401
npm ERR! 401 Unauthorized: #my-company/foo#1.0.0
I can see that version 1.0.0 of foo has deployed when I login to the Bintray app, so why is resolution failing?

401 Unauthorized error usually occurs when wrong user id or credentials use.
it could be cache issue anyhow you can try run npm cache clean first and then re-run npm install or you can try with npm install -verbose which will show more information.
For the reference, the following .npmrc file works:
#my-company:registry=api.bintray.com/npm/my-company/npm
//api.bintray.com/npm/my-company/npm/:_authToken=BINTRAY_API_TOKEN
//api.bintray.com/npm/my-companyl/npm/:username=my.username
//api.bintray.com/npm/my-company/npm/:email=my#email.com
//api.bintray.com/npm/my-company/npm/:always-auth=true

Related

Azure Devops: Sudden failure of NPM package download

Since 2 days a download/install (no changes to the env at all) fails in my azure devops pipeline:
npm ERR! code E404 npm ERR! 404 Not Found - GET
https://pkgs.dev.azure.com/.../NPM-Mirror/npm/registry/esprima-fb/-/esprima-fb-15001.1001.0-dev-harmony-fb.tgz
Cannot find the package 'esprima-fb' in feed '' npm ERR! 404 npm ERR! 404
'esprima-fb#https://pkgs.dev.azure.com/.../NPM-Mirror/npm/registry/esprima-fb/-/esprima-fb-15001.1001.0-dev-harmony-fb.tgz'
is not in this registry. npm ERR! 404 You should bug the author to
publish it (or use the name yourself!) npm ERR! 404 npm ERR! 404 Note
that you can also install from a npm ERR! 404 tarball, folder, http
url, or git URL.
which basically points to that package here:
https://www.npmjs.com/package/esprima-fb/v/15001.1001.0-dev-harmony-fb
The package was last changed 7 years ago and worked fine until Wednesday of this week (even the underlying source was not changed for a while).
I tried Node version 16 and 17, both have same effect.
I tried to install the package by
- task: Npm#1
displayName: 'NPM: install'
inputs:
command: 'ci'
workingDir: 'path/'
and
- task: Npm#1
displayName: 'NPM: install'
inputs:
command: 'install'
workingDir: 'path/'
none worked.
I've recognized that this version of the package is not downloaded to the Azure Artifacts Upstream Archive (only an older version is available).
Tried to recreate another Feed, also no effect. Tried to add the dependency directly into the package.json file - all showed no effect at all.
Do you have any idea how to fix that problem? I ran out of ideas.
Azure DevOps feed for npm package sometimes throws incorrect HTTP status code when encountering authentication issue (it should be 401 instead of 404).
Typically npm install issues with Azure DevOps relies on an expired PAT token into your project's .npmrc file.
To be sure npm is always hitting npmjs.org for public packages, I'd suggest scoping your private packages (the ones coming from Azure DevOps feed) and defining the npmjs.org registry for all the others.
#[your_private_package_scope]:registry=[your_feed_url]
registry=https://registry.npmjs.org/

Can't install a scoped package I published to a npm registry in GCP

I published several npm packages to a private npm registry hosted in GCP and I can see all versions in the registry. Yet I can't download the package since the install command throws an E404.
NPM throws a generic 404 Error when trying to download the page:
npm ERR! code E404
npm ERR! 404 Not Found - GET https://europe-north1-npm.pkg.dev/[Project]/#[scope]/[packagename]/-/#[scope]/[packagename]-0.1.0.tgz
npm ERR! 404
npm ERR! 404 '#[scope]/[packagename]#https://europe-north1-npm.pkg.dev/[Project]/#[scope]/[packagename]/-/#[scope]/[packagename]-0.1.0.tgz' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
Opening the url that is tring to resolve returns this error:
{"error":"Permission \"artifactregistry.repositories.downloadArtifacts\" denied on resource \"projects/[Project]/locations/europe-north1/repositories/#[scope]\" (or it may not exist)"}
{"error":"Unmatched scope name: \"\" != \"#[scope]\""}
Additonally, I checked and my account does in fact have to downloadArtifacts role.
I can't figure out why it's unable to resolve the URL since with the same config I'm able to both publish and even run npm view the package.
I've tried creating brand new packages, specifying a version, resetting the auth token and yet for some reason I'm still unable to download packages.
If it helps, my current .npmrc file looks like this:
registry:https://registry.npmjs.org/=true
#[scope]:registry=https://europe-north1-npm.pkg.dev/[project]/[repo name]/
//europe-north1-npm.pkg.dev/[project]/[repo name]/:_authToken=[gcp auth token]
//europe-north1-npm.pkg.dev/[project]/[repo name]/:always-auth=true
//registry.npmjs.org/:_authToken=[npm auth token]
Turns out this was not a GCP specific issue, but a Yarn Berry issue when publishing to GCP.
The tarballURL that is being generated uses a truncated registry URL which is why i was getting a 404 when trying to install the package.
A fix for this was proposed here.
https://github.com/yarnpkg/berry/pull/3513
I had an error similar to this one.
I did the entire repository creation process and created a new project to test the package.
When I tried npm install my-package I got a 404 error.
After some tests I discovered that I need the .npmrc file also in the project that will consume the package. It may seem kind of obvious to some people but I didn't know.
Add the returned configuration settings to the .npmrc configuration file in your Node.js projects. This file is usually in the same directory as package.json.
Make sure that you include these settings in Node.js projects for packages that you publish as well as projects that will install dependencies from your npm repository.
Set up authentication for npm

Issues with publishing npm package on private gitlab registry

I have a (test) npm package named #myScope/test which I want to publish into a private gitlab registry within a gitlab project whose address is
https://gitlab.<something>/myId/test-npm-registry/
with ID 9630
First, I'm a bit confused with npm login and .npmrc. If I understand correctly, answers given to npm login end-up as a couple of lines into .npmrc, is that right?
So essentially, to instruct npm about authenticating to a registry, one can either:
manually edit .npmrc
use npm config set
use npm login
Based on what I read on the gitlab help, I've inserted the following lines into my .npmrc:
#myScope:registry=https://gitlab.<something>/api/v4/projects/9630/packages/npm/
'//gitlab.<something>/api/v4/projects/9630/packages/npm/:_authToken'="${GITLAB_AUTH_TOKEN}"
Note: I had to use the project ID, having issues with the url format.
I have also added the following bit into the package.json :
publishConfig":{
"#myScope:registry": "https://gitlab.<something>/api/v4/projects/9630/packages/npm/"
}
Finally, I've created a token in gitlab, with "api, read_api, read_registry, write_registry" rights and I have assigned the token to the GITLAB_AUTH_TOKEN variable:
GITLAB_AUTH_TOKEN="xk4L7xxvzHuykyKawxQZ"
When I do npm publish I'm getting the following message :
npm ERR! code E401
npm ERR! 401 Unauthorized - PUT https://gitlab.<something>/api/v4/projects/9630/packages/npm/#myScope%2ftest-npm-registry
npm ERR! A complete log of this run can be found in:
The logs doesn't help, nor does the verbose mode. Also, I'm not getting if I have to perform an explicit npm login or if the configuration in the .npmrc (with the token) should do the trick. I actually cannot do npm login because the username has an # character in it and npm refuses it.
Any ideas ?

NPM Login without manually entering the username, password & email

I have been able to login to my npm registry manually, ie: on my local machine - but for some reason it's not working when it goes through the CI. The problem here is that after I execute the npm login command, the program is waiting for the manual user input (username, password, email) and I couldn't find a way to send these inputs in the pipeline (where I can't make manual user input):
These different approaches I tried:
1. Copy the npm auth token from my local machine into the environment variables of the gitlab CI/CD Settings, and then just copy them into the global .npmrc at the root directory:
This results in an error (unauthenticated):
$ cd ~
$ pwd
/root
$ echo "//<my_registry_url>:_authToken=$NPM_AUTH_TOKEN" > ~/.npmrc
$ cat .npmrc
<my_registry_url>:_authToken=[MASKED] //<-- the masked value is correct, I had it unmasked before once by mistake...
$ npm whoami
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-03-02T14_29_00_728Z-debug.log
Cleaning up file based variables
00:00
ERROR: Job failed: exit code 1
2. Install npm-cli-login and pass the username, password and email in one line with the npm login command
$ npm install -g npm-cli-login
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
added 567 packages, and audited 568 packages in 46s
33 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
// trying to login now
$ npm-cli-login -u $USERNAME -p $API_KEY -e $EMAIL -r $REPOSITORY
info attempt registry request try #1 at 6:17:19 AM
http request PUT [MASKED]-/user/org.couchdb.user:<my correct username>
http 201 [MASKED]-/user/org.couchdb.user:<my correct username> // the login seems to have worked, at least I don't get an error
// then I go to the home directory to check the .npmrc file
$ cd ~
$ pwd
/root
$ cat .npmrc
//<my_registry_url>:_authToken=<eyJ...rest of token> // <-- so this was created correctly at my npm-cli-login command
// then I go back to the angular project folder
$ cd /builds/<my path>/app/src/main/ui
$ ls
README.md
angular.json
browserslist
debug.log
e2e
package.json
src
tsconfig.app.json
tsconfig.spec.json
// and when I now run npm install, it says I'm not authenticated
$ npm install
npm WARN deprecated debug#4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated axios#0.20.0: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/reques/request/issues/3142
npm WARN deprecated fsevents#2.1.3: "Please update to latest v2.3 or v2.2"
npm WARN deprecated chokidar#2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
npm WARN deprecated fsevents#1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="Artifactory Realm" // <-- HERE IT FAILED
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-03-02T06_44_42_972Z-debug.log
Cleaning up file based variables
00:01
ERROR: Job failed: exit code 1
3. Using a here document like this in my gitlab-ci.yml:
- npm login --registry=<my_registry_url> << EOF
- $USERNAME
- $API_KEY
- $EMAIL
- EOF
This results in:
$ npm login --registry=<my_registry_url> << EOF
Username: npm WARN Name may not contain non-url-safe chars
Username: (echo $'\x1b[32;1m$ <my_username>\x1b[0;m') npm ERR! cb() never called!
npm ERR! This is an error with npm itself. Please report this error at:
npm ERR! <https://npm.community>
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2021-03-02T13_54_12_317Z-debug.log
ERROR: Job failed: exit code 1
The methods above were maybe not wrong at all, but somehow it only worked for me after using _auth instead of _authToken value in the .npmrc file.
This method is described here and on the jfrog confluence site.
After running this curl command I received everything that I needed to put into my global .npmrc file:
curl -u ${JFROG_USER}:${JFROG_ENCRYPTED_PASSWORD} https://${JFROG_ORG}.jfrog.io/artifactory/api/npm/auth
For anyone who's interested, the full script in my gitlab ci pipeline stage now looks like this:
script:
- npm -v
6.14.10
- node -v
v14.15.4
- cd ~
- pwd
/root
# install angular globally
- npm i -g #angular/cli
# create the config file '.npmrc' for authenticating at jFrog when running 'npm install'.
- cat > .npmrc
- echo _auth = ${NPM_AUTH_TOKEN} >> .npmrc <- This is the token that I received after running the curl command from the tutorial / link above
- echo always-auth = true >> .npmrc
- echo email = ${EMAIL} >> .npmrc
# the next line makes npm look for the packages that are annotated with #<my-private-repo> at the JFrog Repo.
- echo #<my-private-repo>:registry=${UI_JFROG_REGESTRY} >> .npmrc
# change back to the project folder.
- cd /builds/<my-project-folder>/ui
# install all packages + the <my-private-repo> package from JFrog.
- npm install
Instead of using npm login, which doesn't support non-interactivity, I used the auth URL and npmrc. However, I've only gotten this to work with private NPM repositories, and not with https://registry.npmjs.org/. I'm not sure what the AUTH url is for the public NPM registry. If someone finds the AUTH url for NPM, let me know :).
For private NPM repositories, you can avoid npm login by using:
curl -u $USERNAME:$ACCESS_TOKEN https://company.jfrog.io/artifactory/api/npm/auth > ~/.npmrc
This allows us to avoid unnecessary dependencies, and is a single-line-change to a CI job.
Tips:
You can adjust ~/.npmrc to .npmrc to affect the current project only.
For debugging, you can remove > ~/.npmrc and see what the output from the auth URL is.

Nexus manager, npm 401 Unauthorized

I'm trying to set up a nexus repository manager.
I have 3 npm repositories, private, proxy and a group of both (see images). Also I attached role's privileges and this is my .npmrc file:
registry = http://127.0.0.1:8081/repository/npm-group/
email = user#mail.com
always-auth = true
_auth = ZGV2OjEyMzQ1Ng==
When I try to do a "npm install" I get this error:
npm ERR! code E401
npm ERR! 401 Unauthorized: gulp-twig#^0.5.0
Without nexus, install ends successfully. I'm using this project template.
Any idea? What I'm missing?
Private repository
Proxy repository
Group repository
Privileges
It was a bug on my npm version (5.0.3), already fixed.
https://github.com/npm/npm/issues/16528