yarn does not honor authentication settings in .npmrc

[carlosduclos]

Do you want to request a feature or report a bug?
BUG
What is the current behavior?
Yarn does not honor .npmrc
If the current behavior is a bug, please provide the steps to reproduce.
We require authentication for one of our repositories and we used to do this by specifying the authentication in .npmrc. This worked up to 0.28.4 but broke in 1.0.0

What is the expected behavior?
Honoring the authentication settings in .npmrc

Please mention your node.js, yarn and operating system version.
It happens after upgrading yarn to 1.0.0/1.0.1 (have tried both versions). Regardless of OS and nodejs version.

[BYK]

This should be fixed in 1.0.2 which was released yesterday. Can you give it a spin?

[beardedtim]

@BYK I am experiencing the same issues as above and as mentioned at the end of #4157 . I tried running 1.0.2 and failed with 404. Running on 0.27.5 works as expected.

[KidkArolis]

Could you paste your npmrc file here so we could try to reproduce (obviously edit out secrets or other private info)

[beardedtim]

@KidkArolis while trying to get my working dir as clean as possible, it somehow fixed the issue? 🙃

Steps I took:

• Delete yarn.lock and any yarn-error.log files
• Delete node_modules/
• brew link yarn and yarn --version to ensure I was at 1.0.2
• yarn

That seems to have worked. I am going to chalk this up as a user error on mine and my team's end.

[stieg]

@beardedtim What about if you now blow away node_modules but keep yarn.lock and then run yarn install? Does it all work then? This is in part what #4157 tracks but may be related to the larger issue at hand?

[kmoe]

I am experiencing this issue (404 on private scoped repo, whichever registry I use) for yarn versions 1.0.1, and 1.0.2. Version 0.27.5 worked after clearing some artifacts.

I have tried all the workarounds discussed in #4157. Happy to post logs if it will help.

[beardedtim]

@stieg I will try that later today when I get a free moment around lunch and post results. I believe I still got the 404 error but I've tried so many things at this point, who knows!

[solkaz]

Has anyone found a solution to this?

[perlun]

FWIW: I tried with:

• Wiping my node_modules
• Wiping ~/.yarn
• curl -o- -L https://yarnpkg.com/install.sh | bash to reinstall yarn 1.0.2
• yarn install - no errors, it installed everything flawlessly.

My ~/.yarnrc:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


registry "https://registry.npmjs.org"
email [email protected]
lastUpdateCheck 1505977814820
username some-user

And my ~/.npmrc:

//registry.npmjs.org/:_authToken=a-valid-uuid

The yarn.lock references look like this in my particular case:

  resolved "https://registry.npmjs.org/@acme/some-module/-/some-module-0.1.1.tgz#valid-git-sha"

[solkaz]

Interesting. After putting the registry in my .yarnrc file, I was able to install my packages. However, I removed it to check if that was the culprit, and it still was successful (I deleted my cache so Yarn had to download it, and it managed to do so correctly).

[perlun]

I tried on a fresh install (Debian this time, the other was macOS) and having these settings in ~/.npmrc and ~/.yarnrc worked equally well there. (Note: I did not try npm login or yarn login.)

[BYK]

Closing as people reporting this was resolved. Reopen with concrete reproduction steps if it is not resolved for you @carlosduclos please.

[paraboom]

@BYK I had the same problem.
I used the clean install of the latest yarn version.
And it starts working after I added registry "https://registry.npmjs.org" to ~/.yarnrc.
I think it's a bug and it should be solved automatically, not manually, as we did.

[kmoe]

@BYK It may help to note that everyone who has "reported as resolved" has used the workaround of forcing yarn to use the https://registry.npmjs.org registry.

I think there is still a problem retrieving private packages from the https://registry.yarnpkg.com registry, however, and this is the default registry used by yarn (is it still just a reverse proxy? perhaps it's not honouring auth headers?).

Concrete reproduction steps

0. Delete/move your .npmrc and .yarnrc files so yarn is using the default config.
1. Locate a package published privately to the npm registry.
   1a. If you have downloaded/published it from the same machine you are testing yarn from, clear the npm and yarn caches.
2. Run npm login or yarn login to populate the auth token.
3. Using any yarn version after 0.27.5, try to install this package.

Expected results

Package installs successfully.

Actual results

❤ @up ➜  REPO git:(master) ★ yarn add @SCOPE/PACKAGE 
yarn add v1.1.0
info No lockfile found.
[1/5] Validating package.json...
[2/5] Resolving packages...
error An unexpected error occurred: "https://registry.npmjs.org/@SCOPE%2fPACKAGE: Not found".
info If you think this is a bug, please open a bug report with the information provided in "/home/katy/dev/REPO/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

[awkaiser]

If project maintainers find @kmoe's instructions to be reproducible, this ticket should be reopened (at least for the sake of existing subscribers).

[perlun]

I agree with @kmoe, the underlying issue is not fixed even in recent versions of yarn. Please reopen the issue. Yes, we have a workaround, but workaround != solution in this case.

[perlun]

FWIW, this is still a problem in 1.1.0. I just verified it (came back here for the workaround, namely registry "https://registry.npmjs.org" being added to ~/.yarnrc)

[stewx]

I am having this problem in yarn 1.3.2 and it is breaking our builds right now. It worked fine on yarn 0.27.5.

We require an auth token from the .npmrc file to install packages from our Artifactory private registry.

Reproduction steps:

1. Have an .npmrc file with authentication info in it like:

registry=https://artifactory.mycompany.com/artifactory/api/npm/npm-virtual
_auth = myAuthTokenHere
always-auth = true
email = [email protected]

2. Run yarn install
3. Get HTTP 401 error when yarn is trying to install stuff from the private registry:

error An unexpected error occurred: "https://artifactory.mycompany.com/api/npm/npm-virtual/@angular/compiler/-/compiler-4.3.1.tgz: Request failed \"401 Unauthorized\"".

[stewx]

Related: #4672

[jamesone]

@stewx I'm also having the same problem on 1.3.2. Did you find a fix or a way around it?

[stewx]

@jamesone Nope, I downgraded to something like 0.27. It's a deal-breaker for our project.

[Bnaya]

@stewx @jamesone
Add registry "https://registry.npmjs.org" in your .yarnrc and reinstall the private packages
It will tell yarn to work directly with npmjs registry and it will solve the issue

[awkaiser]

It feels so wrong to version lock at 0.27.5 just to circumvent this one issue, but it seems like many are doing just that or redirecting registry config (although @stewx is reporting that does not solve for self-hosted private registries).

If frequent project contributors don't have time to fix this in the short term, would somebody be willing to suggest codebase location(s) where a fix is most likely to succeed, in the hopes that a community PR will be opened? 🤔

/cc @kittens @bestander @BYK @arcanis @rally25rs @kaylieEB

[TheLudd]

@Bnaya When you say reinstall, do you mean remove node_modules in your project or clear yarn cache?

[Bnaya]

yarn remove yourprivatepackage; yarn add yourprivatepackage

And in the lock file you will see https://registry.npmjs.org/*** url and not https://registry.yarnpkg ***

I would suggest adding the .yarnrc next to your package.json

[liana-p]

Happening to me too, I was hoping I could get it to work with only .npmrc, but it only works when adding .yarnrc, so we have to duplicate the config just for yarn.

[kalbert312]

I think this is what I'm running into. It works when .npmrc is in the home directory, but not in the project directory (needed for jenkins/travis).
#8034

[cyrus-za]

This solved it for me: #4451 (comment)

[4r7d3c0]

Make sure you don't have /name after the registry when setting the scoped one:

- @4r7d3c0:registry=https://npm.pkg.github.com/4r7d3c0
+ @4r7d3c0:registry=https://npm.pkg.github.com

As per doc, registry=https://npm.pkg.github.com/OWNER, I overlooked that the owner doesn't need to be there when setting the scope. NPM could handle it, but yarn couldn't.

[alexk111]

For those who use aliases check this workaround: #8130 (comment)

[dvdotsenko]

Had to split user-level .npmrc and project-level .npmrc to make yarn respect GitHub package tokens. Moving named registry declarations from user-level to project-level was the key

Contents of ~/.npmrc

_auth=#####TOKEN_FOR_ARTIFACTORY#####
always-auth=true
registry=https://artifactory.mycompany.net/artifactory/api/npm/npm/
//npm.pkg.github.com/:_authToken=####GitHub_NPM_REGISTRY_TOKEN#####

Contents of ~/projects/blah/.npmrc

@mycompany:registry=https://npm.pkg.github.com

Until i moved the ^ named family package registry entry to project-level .npmrc, yarn install was giving me 401 (for GH-hosted packages under @mycompany). Now it does not.

For Docker build mount them separately:

base.Dockerfile:

# syntax=docker/dockerfile:1-experimental
## ^ need to enable --mount=type=secret support

ARG BASE_IMAGE
FROM ${BASE_IMAGE} as build

# note that only project-level .npmrc is copied
COPY package.json yarn.lock .npmrc ./

# ~/.npmrc with actual secrets is mounted as "secret" (does not stay in image)
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc,required \
    yarn install --production --frozen-lockfile ...

Docker build command:

DOCKER_BUILDKIT=1 docker build \
		--build-arg BASE_IMAGE=$(BASE_IMAGE) \
 		--secret id=npmrc,src="$(HOME)/.npmrc" \
		-t $(IMAGE_NAME):$(IMAGE_TAG) \
		-f base.Dockerfile .

(Note, that i did NOT need .yarnrc for this to work, but i am on yarn 1.17.3 so things may be different for other versions)

[viceice]

I've digged a little bit arround and it seems yarn uses the wrong auth credentials.

~/.npmrc

//npm-old.visualon.de/npm/vo-npm/:_password=XXXXXX
//npm-old.visualon.de/npm/vo-npm/:username=kriese
//npm-old.visualon.de/npm/vo-npm/:always-auth=true

//npm-new.visualon.de/:_authToken="XXXXXX"

package.json

{
  "name": "yarn-auth",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "tslib": "^2.0.1",
    "moment": "2.20.1"
  }
}

yarn.lock

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


[email protected]:
  version "2.20.1"
  resolved "https://npm-old.visualon.de/npm/vo-npm/moment/-/moment-2.20.1.tgz#d6eb1a46cbcc14a2b2f9434112c1ff8907f313fd"
  integrity sha1-1usaRsvMFKKy+UNBEsH/iQfzE/0=

tslib@^2.0.1:
  version "2.0.1"
  resolved "https://npm-new.visualon.de/tslib/-/tslib-2.0.1.tgz#410eb0d113e5b6356490eec749603725b021b43e"
  integrity sha512-SgIkNheinmEBgx1IUNirK0TUD4X9yjjBRTqqjggWCU3pUEqIk3/Uwl3yRixYKT6WjQuGiwDv4NomL3wqRCj+CQ==

While trying to install yarn sends the bearer token from npm-new.visualon.de to npm-old.visualon.de. So it semms yarn only compares the base domain.

[msolovyov]

If anyone still faces it, this is what worked for me.

.npmrc:
always-auth=true
@orgaccount:registry=https://npm.pkg.github.com
registry=https://registry.yarnpkg.com

https://npm.pkg.github.com/:_authToken=yyyyjjjjj3333888etc

[BenteleFlorian]

Not sure if anyone faces a similar problem, but maybe this will help someone save a bit of time:

I am using Azure Artifacts as a private registry and had set up the PAT and .npmrc files as documented there.
Nevertheless, I was running into the same issue that npm install was working perfectly, but yarn install runs into the 401 Error all the time.
After a bit of try and error It turned out the I had a special character in my Registry URL (...@Local/...) but Azure Artifacts resolves this to the Unicode representation within their setup guide. npm handles this just fine, yarn not so much. Setting the actual @ character in the URL, solved my problem.

[Yuri6037]

Yarn is really a weird tool: Found another bug with the same kind of issues. I think I know why is yarn so bugged with custom package registries.

I successfully got yarn to download and install properly any private package from a gitlab private registry. To do it you need to specify absolutely ALL redirections with the same token! Yarn is unable to infer the token based on the base address. It infers tokens based on the FULL address - the package name.

Example:

Won't work cause when downloading package the client is redirected to //gitlab.xxxx.yyy/api/v4/projects/z/packages/npm/ but here is the problem the other address is not exactly matched in the rc file

always-auth=true
//gitlab.xxxx.yyy/api/v4/packages/npm/:_authToken=whatever

@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm/

Will work; now all addresses are explicitely using the same token

always-auth=true
//gitlab.xxxx.yyy/api/v4/packages/npm/:_authToken=whatever
//gitlab.xxxx.yyy/api/v4/projects/z/packages/npm/:_authToken=whatever

@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm/

[viceice]

I've seen this too, yarn only supports one auth per domain 😕

[royi-frontegg]

This is still an issue...
everything worked up great for me in bitbucket pipelines. Then one day the pipeline broke and we're stuck

[arcanis]

This behavior won't be changed in the 1.x line. Starting from 2.x, Yarn now exclusively reads from the .yarnrc.yml file, never from .npmrc. It also supports different tokens for different urls.

https://yarnpkg.com/getting-started/migration

[uvirk]

@arcanis I appreciate you closing this - but I have a similar error when using Yarn 2 and .yarnrc.yml with a private Azure Artifacts repo.

If you set

yarnPath: ".yarn/releases/yarn-berry.cjs"
npmScopes:
      <companyname>:
        npmPublishRegistry: https://pkgs.dev.azure.com/<companyname>/_packaging/<companyname>/npm/registry/
        npmRegistryServer: https://pkgs.dev.azure.com/<companyname>/_packaging/<companyname>/npm/registry/
        npmAlwaysAuth: true
        npmAuthIdent: 'base64(<companyname>:<auth-token-taken-from-user-npmrc-file>)'
nodeLinker: node-modules

I continue to receive this error:

➤ YN0001: │ HTTPError: @:@npm:1.3.0: Response code 405 (Method Not Allowed)
at se. (C:\Source\Repos<companyname>\web.yarn\releases\yarn-berry.cjs:23:10082)
at runMicrotasks ()
at processTicksAndRejections (internal/process/task_queues.js:94:5)

Do you have any ideas associated?

I have followed the steps highlighted in yarnpkg/berry#316 to no avail.

[uvirk]

@arcanis any update on this error? Your help is greatly appreciated!

[merceyz]

Try commenting on the V2 issue so that people using Azure Artifacts there can help

[mscottx88]

@BenteleFlorian your suggestion was the answer here. Those ADO setup tips still encode @ as %40. If you see %40 in your URL, change it to @ and yarn install worked for us with just .npmrc file.

Before

https://pkgs.dev.azure.com/foo/_packaging/bar%40Local/npm/registry/

After

https://pkgs.dev.azure.com/foo/_packaging/bar@Local/npm/registry/

[slhck]

Came here with the same issue on a private Verdaccio registry, none of this solved it.

Found a solution and wrote it up here: #6405 (comment)

Basically, make sure that no auth token for registry.npmjs.org is in your global ~/.npmrc.

[Diluka]

• if no cache and no lock, the yarn install will success.
• if no cache and has lock, will failed
• if has cache and has lock, will success

yarn only use token from .npmrc for the first time

[angel-git]

• if no cache and no lock, the yarn install will success.
• if no cache and has lock, will failed
• if has cache and has lock, will success

I have this exact case, if i try to build with no yarn.lock, works fine if i use the yarn.lock it fails

@Diluka you had any luck on fixing this?

[Diluka]

• if no cache and no lock, the yarn install will success.
• if no cache and has lock, will failed
• if has cache and has lock, will success

I have this exact case, if i try to build with no yarn.lock, works fine if i use the yarn.lock it fails

@Diluka you had any luck on fixing this?

This problem is the token not stored in lock file. And it will use only the url stored in lock file to download packages. So I do this in Dockerfile...

ADD .npmrc .

RUN yarn add [email protected]
RUN yarn add [email protected]

ADD package.json .
ADD yarn.lock .

RUN yarn

[meet-freetrade]

In .npmrc file add below

//npm.pkg.github.com/:_authToken=your_token
//registry.yarnpkg.com/:_authToken=your_token

Will work in every case

[tekhedd]

I successfully got yarn to download and install properly any private package from a gitlab private registry. To do it you need to specify absolutely ALL redirections with the same token! Yarn is unable to infer the token based on the base address. It infers tokens based on the FULL address - the package name.

THIS WORKS (QFE, because it's actually the solution)

always-auth=true
//gitlab.xxxx.yyy/api/v4/packages/npm/:_authToken=whatever

@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm/

I have reproduced this behavior. Note that leaving out the trailing slashwill also cause a 401 auth fail.

THIS DOES NOT WORK FOR ME:

//gitlab.xxxx.yyy/api/v4/packages/npm:_authToken=whatever
@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm

Maybe this is documented behavior? I'm not an expert! :) The _authToken line and the registry line must match exactly and have a trailing slash. I missed this solution because when I tried it, I did not use a trailing slash. (A trailing slash is not necessary for other functionality to work, so it never occurred to me this could be a problem with auth.)

This is with yarn 1.22.

In unrelated news:

Note that recent versions of NPM will loudly complain if _authToken is specified globally and not with a domain. This will cause some packages to fail to install, and is correct behavior. However, most of the online advice for working around this issue suggest using a bare _authToken= in .npmrc, which yarn still accepts. Then, later, one of my packages will error out because it's not actually a valid .npmrc. So... I thought I would mention that here next to the rest of the code that works for me for searching. I think it is likely people will migrate to yarn 2 and this behavior will not be updated, so... THIS. :)

YARN ACCEPTS THIS BUT NPM NO LONGER DOES, WHICH BREAKS PACKAGES:

always-auth=true
_authToken=whatever
@organization:registry=https://gitlab.xxxxx.yyy/api/v4/packages/npm

(Props to Yuri6037. You made my week.)