We Keep Coding

Azure Devops: Sudden failure of NPM package download

Since 2 days a download/install (no changes to the env at all) fails in my azure devops pipeline:
npm ERR! code E404 npm ERR! 404 Not Found - GET
https://pkgs.dev.azure.com/.../NPM-Mirror/npm/registry/esprima-fb/-/esprima-fb-15001.1001.0-dev-harmony-fb.tgz
Cannot find the package 'esprima-fb' in feed '' npm ERR! 404 npm ERR! 404
'esprima-fb#https://pkgs.dev.azure.com/.../NPM-Mirror/npm/registry/esprima-fb/-/esprima-fb-15001.1001.0-dev-harmony-fb.tgz'
is not in this registry. npm ERR! 404 You should bug the author to
publish it (or use the name yourself!) npm ERR! 404 npm ERR! 404 Note
that you can also install from a npm ERR! 404 tarball, folder, http
url, or git URL.
which basically points to that package here:
https://www.npmjs.com/package/esprima-fb/v/15001.1001.0-dev-harmony-fb
The package was last changed 7 years ago and worked fine until Wednesday of this week (even the underlying source was not changed for a while).
I tried Node version 16 and 17, both have same effect.
I tried to install the package by
- task: Npm#1
displayName: 'NPM: install'
inputs:
command: 'ci'
workingDir: 'path/'
and
- task: Npm#1
displayName: 'NPM: install'
inputs:
command: 'install'
workingDir: 'path/'
none worked.
I've recognized that this version of the package is not downloaded to the Azure Artifacts Upstream Archive (only an older version is available).
Tried to recreate another Feed, also no effect. Tried to add the dependency directly into the package.json file - all showed no effect at all.
Do you have any idea how to fix that problem? I ran out of ideas.

Azure DevOps feed for npm package sometimes throws incorrect HTTP status code when encountering authentication issue (it should be 401 instead of 404).
Typically npm install issues with Azure DevOps relies on an expired PAT token into your project's .npmrc file.
To be sure npm is always hitting npmjs.org for public packages, I'd suggest scoping your private packages (the ones coming from Azure DevOps feed) and defining the npmjs.org registry for all the others.
#[your_private_package_scope]:registry=[your_feed_url]
registry=https://registry.npmjs.org/

Can't install a scoped package I published to a npm registry in GCP

I published several npm packages to a private npm registry hosted in GCP and I can see all versions in the registry. Yet I can't download the package since the install command throws an E404.
NPM throws a generic 404 Error when trying to download the page:
npm ERR! code E404
npm ERR! 404 Not Found - GET https://europe-north1-npm.pkg.dev/[Project]/#[scope]/[packagename]/-/#[scope]/[packagename]-0.1.0.tgz
npm ERR! 404
npm ERR! 404 '#[scope]/[packagename]#https://europe-north1-npm.pkg.dev/[Project]/#[scope]/[packagename]/-/#[scope]/[packagename]-0.1.0.tgz' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
Opening the url that is tring to resolve returns this error:
{"error":"Permission \"artifactregistry.repositories.downloadArtifacts\" denied on resource \"projects/[Project]/locations/europe-north1/repositories/#[scope]\" (or it may not exist)"}
{"error":"Unmatched scope name: \"\" != \"#[scope]\""}
Additonally, I checked and my account does in fact have to downloadArtifacts role.
I can't figure out why it's unable to resolve the URL since with the same config I'm able to both publish and even run npm view the package.
I've tried creating brand new packages, specifying a version, resetting the auth token and yet for some reason I'm still unable to download packages.
If it helps, my current .npmrc file looks like this:
registry:https://registry.npmjs.org/=true
#[scope]:registry=https://europe-north1-npm.pkg.dev/[project]/[repo name]/
//europe-north1-npm.pkg.dev/[project]/[repo name]/:_authToken=[gcp auth token]
//europe-north1-npm.pkg.dev/[project]/[repo name]/:always-auth=true
//registry.npmjs.org/:_authToken=[npm auth token]

Turns out this was not a GCP specific issue, but a Yarn Berry issue when publishing to GCP.
The tarballURL that is being generated uses a truncated registry URL which is why i was getting a 404 when trying to install the package.
A fix for this was proposed here.
https://github.com/yarnpkg/berry/pull/3513

I had an error similar to this one.
I did the entire repository creation process and created a new project to test the package.
When I tried npm install my-package I got a 404 error.
After some tests I discovered that I need the .npmrc file also in the project that will consume the package. It may seem kind of obvious to some people but I didn't know.
Add the returned configuration settings to the .npmrc configuration file in your Node.js projects. This file is usually in the same directory as package.json.
Make sure that you include these settings in Node.js projects for packages that you publish as well as projects that will install dependencies from your npm repository.
Set up authentication for npm

Issues with publishing npm package on private gitlab registry

I have a (test) npm package named #myScope/test which I want to publish into a private gitlab registry within a gitlab project whose address is
https://gitlab.<something>/myId/test-npm-registry/
with ID 9630
First, I'm a bit confused with npm login and .npmrc. If I understand correctly, answers given to npm login end-up as a couple of lines into .npmrc, is that right?
So essentially, to instruct npm about authenticating to a registry, one can either:
manually edit .npmrc
use npm config set
use npm login
Based on what I read on the gitlab help, I've inserted the following lines into my .npmrc:
#myScope:registry=https://gitlab.<something>/api/v4/projects/9630/packages/npm/
'//gitlab.<something>/api/v4/projects/9630/packages/npm/:_authToken'="${GITLAB_AUTH_TOKEN}"
Note: I had to use the project ID, having issues with the url format.
I have also added the following bit into the package.json :
publishConfig":{
"#myScope:registry": "https://gitlab.<something>/api/v4/projects/9630/packages/npm/"
}
Finally, I've created a token in gitlab, with "api, read_api, read_registry, write_registry" rights and I have assigned the token to the GITLAB_AUTH_TOKEN variable:
GITLAB_AUTH_TOKEN="xk4L7xxvzHuykyKawxQZ"
When I do npm publish I'm getting the following message :
npm ERR! code E401
npm ERR! 401 Unauthorized - PUT https://gitlab.<something>/api/v4/projects/9630/packages/npm/#myScope%2ftest-npm-registry
npm ERR! A complete log of this run can be found in:
The logs doesn't help, nor does the verbose mode. Also, I'm not getting if I have to perform an explicit npm login or if the configuration in the .npmrc (with the token) should do the trick. I actually cannot do npm login because the username has an # character in it and npm refuses it.
Any ideas ?

npm install of private package fails when package has public dependencies

Lets say I have a private npm repository, hosted within JFrog artifactory:
https://my-domain.com/artifactory/api/npm/my-repo.
In this repository I published one npm package: my-package, which builds fine. my-package has a dependency (or more) to public npm packages e.g. lodash.
However, when I create a new project and attempt to install my-package I get the following error:
$ npm install my-package --registry https://my-domain.com/artifactory/api/npm/my-repo
npm ERR! code E404
npm ERR! 404 Not Found - GET https://my-domain.com/artifactory/api/npm/my-repo/lodash - not_found
npm ERR! 404
npm ERR! 404 'lodash^4.17.11' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'my-package'
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\<username>\AppData\Roaming\npm-cache\_logs\2019-04-29T12_47_51_647Z-debug.log
It appears as though npm is searching within my private repository for all the dependencies my-package requires when I specify the --registry option when running an npm install. However, my-package is dependent upon public dependencies, which are not in my private registry.
My Question
How to install an npm package from a private registry that has public dependencies? Perhaps this is also just a JFrog issue?
Any help would be greatly appreciated!

By specifying a registry with: --registry https://my-domain.com/artifactory/api/npm/my-repo npm is attempting to resolve all necessary packages, by name and version, from your private repository location:
domain.com/artifactory/api/npm/my-repo.
To resolve these public dependencies which your private library depends upon you have two options:
Set up a Virtual Npm Registry. (Recommend this approach)
Package all necessary dependencies within your private repository.
A Virtual Repository defined in Artifactory aggregates packages from both local and remote repositories. This allows you to access both locally hosted npm packages and remote proxied npm registries from a single URL defined for the virtual repository.
By setting up a virtual repository which references both your private repository location and the default public npmjs location you will be able to download your private libraries as well as any public npm package by specifying your above mentioned registry.
Since you mentioned JFrog take a look at their confluence page which walks you through the process of creating a virtual repository.
However, if you decide to use option 2 you will have to package all the necessary dependencies within your private repository. Then your private library will be able to properly pull the dependencies it's dependent upon. I would advise against this approach since you will be duplicating work already provided by npmjs and you will additionally have to keep updating your private repository to include new libraries or newer versions of existing libraries.
Hopefully that helps!

My solution...
involved updating my .npmrc file:
I changed registry=https://npm.pkg.my-domain.com
to #my-private-scope:registry=https://npm.pkg.my-domain.com
Here's why
In it, I had specified that registry=https://npm.pkg.my-domain.com (followed by my auth token) so that I could import a private package from the #my-private-scope scope. However since i left at the #my-private-scope: part, I was changing the URL for all decencies, not just the ones that are part of my private organization. I made the change to specify the my-domain URL for only the dependencies at that scope.

resolving NPM packages from a Bintray repo

I've created a private NPM repository on Bintray. I've added the necessary authentication credentials to ~/.npmrc by running
curl -u BINTRAY_USER:BINTRAY_API_TOKEN
https://api.bintray.com/npm/my-company/npm/auth/scope/my-company > ~/.npmrc
I've successfully deployed version 1.0.0 of a package named foo to this NPM repo, and have added it as a dependency to another project's `package.json
"dependencies": {
"#my-company/foo": "1.0.0"
}
But when I run npm install in this project, I get a 404 error
npm ERR! code E401
npm ERR! 401 Unauthorized: #my-company/foo#1.0.0
I can see that version 1.0.0 of foo has deployed when I login to the Bintray app, so why is resolution failing?

401 Unauthorized error usually occurs when wrong user id or credentials use.
it could be cache issue anyhow you can try run npm cache clean first and then re-run npm install or you can try with npm install -verbose which will show more information.
For the reference, the following .npmrc file works:
#my-company:registry=api.bintray.com/npm/my-company/npm
//api.bintray.com/npm/my-company/npm/:_authToken=BINTRAY_API_TOKEN
//api.bintray.com/npm/my-companyl/npm/:username=my.username
//api.bintray.com/npm/my-company/npm/:email=my#email.com
//api.bintray.com/npm/my-company/npm/:always-auth=true