cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] publish with workspaces doesn't respect access controls

Open tschaub opened this issue 1 year ago • 2 comments

Is there an existing issue for this?

It looks like this is the same issue as #3268, although the error I'm getting is different, and it appears that the fix in 4a4fbe33c51413adcd558b4af6f1e204b1b87e41 is specific to the error.

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

I am trying to use workspaces where a number of the packages should not be published (they have "private": true in their package.json). I would like to run a single command that publishes all of the non-private packages. I was hoping this would work:

npm publish --workspaces

When I try this, I get this error:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to https://registry.npmjs.org/
npm ERR! need auth You need to authorize this machine using `npm adduser`

I found #3268 and was hoping that #3285 might have addressed the issue, but it that fix was specific to the EPRIVATE error code. In this case I am seeing ENEEDAUTH.

Expected Behavior

I was hoping that npm publish --workspaces could be used to publish all workspace packages except those that have "private": true in their package.json.

Steps To Reproduce

  1. create a package with two workspaces, one named do-not-publish and one named @example/package
  2. in the package.json for the do-not-publish package, add "private": true
  3. run npm logout && npm login --registry=https://npm.pkg.github.com --scope=@example
  4. run npm publish --workspaces
  5. See npm ERR! code ENEEDAUTH

It looks like the ENEEDAUTH error is thrown for the do-not-publish package even though it includes "private": true. I assume this only happens when the user is not already authenticated with the default registry. In my case, it is occurring in a CI job where an auth-token is only provided for a non-default registry (where the scoped packages are published).

Environment

  • npm: 10.2.4
  • Node.js: 21.5.0

tschaub avatar Feb 03 '24 16:02 tschaub

I just got this error today. I then renamed the workspace do-not-publish to @example/do-not-publish as a workaround. npm should first determine whether to publish, rather than authentication.

chehsunliu avatar Apr 09 '24 17:04 chehsunliu

@chehsunliu - I arrived at the same workaround (giving everything the same scope). And I agree that it feels like npm should first determine what needs to be published and then only authenticate with registries for which there are packages to publish.

tschaub avatar Apr 09 '24 22:04 tschaub

6278fe430bb7c3ecfae730f9ea084501e57c0e2c

vegeta321311 avatar Jun 01 '24 03:06 vegeta321311