yarn icon indicating copy to clipboard operation
yarn copied to clipboard
verified publisher icon yarnpkg

Adding a scoped package under a custom alias that does not include the scope fails to send auth headers.

Open austin-rausch opened this issue 6 years ago • 5 comments

Bug description

Yarn install for a custom aliased package that is private and scoped does not send auth headers. When adding the scope to the alias name, or include always_auth it will send auth headers. Command

yarn install

What is the current behavior?

When trying to install a scoped private package as an alias without the scope, yarn install is not sending auth headers causing a 404 on install.

What is the expected behavior?

The install should not 404, and instead should send auth headers along with the request.

The npm registry should not use the package name for an aliased package, it should use the target package, E.G. "some-alias": "npm:@some-scope/[email protected]", Should use @some-scope/some-package not some-alias See: https://github.com/yarnpkg/yarn/blob/b07a19b961dc9521fd15d18f62e30990d4945f28/src/registries/npm-registry.js#L157

Steps to Reproduce

  1. Add an aliased package at an alias name that does not have the scope, E.G.yarn add some-alias@npm:@some-scope/[email protected] that has a scope and requires authorization
  2. Attempt to yarn install
  3. Receive 404 error

Environment

  • Node Version: 12.14.0
  • Yarn v1 Version: 1.2.1
  • OS and version: macOS High Sierra version 10.13.6

austin-rausch avatar Feb 28 '20 20:02 austin-rausch

Here is a workaround for the issue: https://github.com/yarnpkg/yarn/issues/8130#issuecomment-636281053

alexk111 avatar Jun 06 '20 14:06 alexk111

I encountered the problem too, It bothers me a lot. Does anyone have any temporary solution for it?

laggage avatar Mar 04 '21 10:03 laggage

@laggage

If you make the alias have a scope it will send the authentication header, E.G.

"@some-scope/some-package_1_0_0": "npm:@some-scope/[email protected]",

Since the alias name / key name / package identity (which is the part that gets used for the isScopedPackage) has the scope it will send the auth headers.

The work around linked above is strange, to depend on the cache for the install, and since the linked issue above is closed as its fixed in v2 this seems to be the path forward. Can't say I agree with closing the linked issue.

austin-rausch avatar Mar 04 '21 17:03 austin-rausch

There's plenty of people sill using [email protected] - this should be fixed imo. Just ran into this issue and spent half a day trying to figure out what was causing it.

gamedevsam avatar Mar 21 '22 22:03 gamedevsam

Sadly, me and my team also lost a day of work due to this issue.

wstmp avatar Sep 12 '24 11:09 wstmp