yarn icon indicating copy to clipboard operation
yarn copied to clipboard

Published 20 hours ago verified publisher icon yarnpkg

Yarn doesn't send authorization header when resolution swaps an unscoped package for a scoped package

Open KristjanTammekivi opened this issue 1 year ago • 2 comments

Hi,

I swapped out a package for a private forked version and started getting 404 errors in CI. After a lot of debugging I found that it happens because yarn checks for isScopedPackage on the original package name, not the replaced one. https://github.com/yarnpkg/yarn/blob/master/src/registries/npm-registry.js#L164

How to replicate: Swap out an unscoped package for a private scoped package.

"resolutions": {
        "**/somepackage": "npm:@someorg/somepackage@*"
    },

run yarn This will work the first time, but running yarn cache clean && rm -rf node_modules && yarn will produce 404

KristjanTammekivi avatar Jul 12 '23 14:07 KristjanTammekivi

I see a similar issue, for something like:

dependencies: {
  "somepackage": "npm:@someorg/somepackage@^0.1.2",
}

Getting a 403 Forbidden error on yarn install. npm i works without errors.

mlazari avatar Dec 18 '23 10:12 mlazari

Same here, getting 403 when running yarn install with already existing yarn.lock without yarn.lock its working normally.

kamil-sienkiewicz-asi avatar Apr 12 '24 12:04 kamil-sienkiewicz-asi