yarn icon indicating copy to clipboard operation
yarn copied to clipboard
verified publisher icon yarnpkg

yarn not using `auth` property in .npmrc on different registry url

Open joeattardi opened this issue 6 years ago • 3 comments

Do you want to request a feature or report a bug? bug

What is the current behavior?

My company has a Nexus registry that hosts the package binaries. However, we access this registry through a proxy.

That is, the registry URL is set to https://nexus-proxy.mycompany.com/nexus/content/groups/npm-all/. When looking up a package on there, the URL to the binary points to the registry server itself, e.g. https://nexus.mycompany.com/nexus/content/groups/npm-all/somepackage/-/somepackage-0.1.0.tgz.

The basic authentication is stored base64 encoded in the .npmrc file.

The URL of the registry proxy is set as the registry in both .npmrc and .yarnrc.

When running a yarn or yarn add, the proxy is accessed no problem (returns a 200), but when going to download the actual binary from the actual registry server, a 401 is returned, I imagine because the authentication information is not being sent to the other URL.

What is the expected behavior? yarn should pass the authentication information to the other URL when downloading binaries.

npm install does this properly, as does older versions of yarn (I tried 0.27.5).

Please mention your node.js, yarn and operating system version.

  • node 8.11.4
  • yarn 1.15.2
  • OS: MacOS Mojave

joeattardi avatar Apr 11 '19 18:04 joeattardi

:sparkles: This is an old work account. Please reference @brandonchinn178 for all future communication :sparkles:

My company is also using Nexus, and instead of adding credentials to .npmrc or .yarnrc, we set the registry to https://<username>:<password>@nexus.build-leapyear.com/....

It seems like whenever we run bin/yarn.sh install --frozen-lockfile when our package.json specifies a version that's not in the lockfile, we get this 401 error. e.g.

// package.json
"foo": "0.2.0"

// yarn.lock
[email protected]
  ...

(this happens because we're using yarn workspaces, and maybe someone adds a dependency on their branch, but master upgraded that dependency and updated the lockfile to only include the new version)

We noticed that when running with --verbose, we see a bunch of

verbose 1.xxxxx Performing "GET" request to "https://<username>:<password>@nexus.build-leapyear.com/..."

logs, but then later we see

verbose 1.xxxxx Performing "GET" request to "https://nexus.build-leapyear.com/..."

which is the command that fails. Possibly some branch in yarn-registry resolution doesn't account for user credentials?

brandon-leapyear avatar Mar 19 '20 00:03 brandon-leapyear

After a year, this still happens. from --verbose I see that it gets the repository url, but it fails to actually use npm token, although it is specified in the file and npm install passes successfully.

yhaskell avatar Apr 15 '20 07:04 yhaskell

Same issue. yarn config list shows the token too...

stevenroussey-privicy avatar Oct 07 '20 20:10 stevenroussey-privicy