cli
cli copied to clipboard
npm
[BUG] npm ci doesn't use registry configured in .npmrc
Is there an existing issue for this?
- [X] I have searched the existing issues
This issue exists in the latest npm version
- [X] I am using the latest npm
Current Behavior
We use a Nexus OSS as npm private repository.
We configure our .npmrc to use this repository. We've got a package-lock.json which contains reference to npm.registry.com and to npm.fontawesome.com through "resolved" attributes.
When we use "npm ci" , we ve got an Error 401 because npm try to connect to npm.fontawesome.com instead of our private repository. ( 401 is due to auth required by npm.fontawesome.com)
All npm packages from default npm.registry.com are correctly fetch by our private repository
Expected Behavior
"npm ci" should respect registry override declared in .npmrc
To avoid this problem, I use sed command to remove "resolved" attributes:
sed -i 's#^.*"resolved".*##' package-lock.json
By removing this attribute, "npm ci" fetch package through private repository
Steps To Reproduce
-
In this environment .npmrc with private repository configured
-
With this config... File package-lock.json referencing another repository
-
Run 'npm ci'
-
See error... npm ERR! code E401 npm ERR! Incorrect or missing password. npm ERR! If you were trying to login, change your password, create an npm ERR! authentication token or enable two-factor authentication then npm ERR! that means you likely typed your password in incorrectly. npm ERR! Please try again, or recover your password at: npm ERR! https://www.npmjs.com/forgot npm ERR! npm ERR! If you were doing some other operation then your saved credentials are npm ERR! probably out of date. To correct this please try logging in again with: npm ERR! npm login
npm ERR! A complete log of this run can be found in: npm ERR! C:\Users\username\AppData\Local\npm-cache_logs\2022-07-16T13_42_28_616Z-debug-0.log
5 In debug log
4118 verbose stack HttpErrorAuthUnknown: Unable to authenticate, need: Basic realm="https://npm.fontawesome.com/",service="npm.fontawesome.com" 4118 verbose stack at C:\Users\username\AppData\Roaming\npm\node_modules\npm\node_modules\npm-registry-fetch\lib\check-response.js:78:17 4118 verbose stack at processTicksAndRejections (node:internal/process/task_queues:96:5) 4119 verbose statusCode 401 4120 verbose pkgid @fortawesome/pro-solid-svg-icons@https://npm.fontawesome.com/@fortawesome/pro-solid-svg-icons/-/5.15.4/pro-solid-svg-icons-5.15.4.tgz 4121 verbose cwd D:\git\project 4122 verbose Windows_NT 10.0.22000 4123 verbose node v16.13.2 4124 verbose npm v8.14.0 4125 error code E401 4126 error Incorrect or missing password. 4127 error If you were trying to login, change your password, create an 4127 error authentication token or enable two-factor authentication then 4127 error that means you likely typed your password in incorrectly. 4127 error Please try again, or recover your password at: 4127 error https://www.npmjs.com/forgot 4127 error 4127 error If you were doing some other operation then your saved credentials are 4127 error probably out of date. To correct this please try logging in again with: 4127 error npm login 4128 verbose exit 1
Environment
- npm: 8.14.0
- Node.js: v16.13.2
- OS Name: Windows 11
- System Model Name: Dell XPS
- npm config: npm config ls ; "builtin" config from C:\Users\username\AppData\Roaming\npm\node_modules\npm\npmrc
prefix = "C:\Users\username\AppData\Roaming\npm"
; "user" config from C:\Users\username.npmrc
@fortawesome:registry=http://private-nexus:8081/repository/npm-fontawesome/ registry = "http://private-nexus:8081/repository/npm/"
; node bin location = C:\Program Files\nodejs\node.exe
; node version = v16.13.2
; npm local prefix = D:\git\project
; npm version = 8.14.0
; cwd = D:\git\project
; HOME = C:\Users\username
; Run npm config ls -l to show all defaults.
Thanks for answer. Btw something seems to be wrong, why it works for package from default registry ans not for the others. .npmrc is used for override registry which is done partially. And each time we want to update package-lock.json we need to not to forget this option.
same issue happend,did anyone help to resolve this? the behavior is
if i remove some package from package-lock.json and run arborist.reify,it will user npmjs.org to patch package-lock to complete.but i expect use the registry in my npmrc or self defined host
it will cause a new error, when i reify a package in private registry,it always get meta data from npmjs official
Thanks for answer. Btw something seems to be wrong, why it works for package from default registry ans not for the others. .npmrc is used for override registry which is done partially. And each time we want to update package-lock.json we need to not to forget this option.
i fond this from documentation that passing registry as option when create instance,it's works for me.
const arb = new Arborist({
registry: 'http://registry.com',
});
@wraithgar you wrote :
You are going to need to re-create your lockfile with the --omit-lockfile-registry-resolved flag
It means it is an action to do on the developer side, so it will be forgotten at some point.
Will something like the git "insteadOf" a possible option in the future in the ~/.npmrc ?
registry.insteadOf.https://npmjs.com=http://my.registry/personal
Thanks for answer. Btw something seems to be wrong, why it works for package from default registry ans not for the others. .npmrc is used for override registry which is done partially. And each time we want to update package-lock.json we need to not to forget this option.
i fond this from documentation that
passing registry as option when create instance,it's works for me.const arb = new Arborist({ registry: 'http://registry.com', });
I just found this option while investigating an install issue in my CI that randomly fails doing lookups on registry.npmjs.org even though we host a private registry and configure npm to use it
FetchError: Invalid response body while trying to fetch https://registry.npmjs.org/@types%2fbabel__traverse: read ECONNRESET
Is there a reason arborist does not use the npmrc-configured registry? Should it do so?
