setup-node: .npmrc file with registry= not overwritten and causing 401 error

Example: https://github.com/rynz/node-test-protocol/pull/6

In this example exists an empty .npmrc and when it is populated with registry= an error occurs:

npm ERR! 401 Unauthorized - GET https://npm.pkg.github.com/rynz/prettier - could not retrieve user by token

For whatever reason, the registry= is not being removed correctly like https://github.com/actions/setup-node/blob/master/src/authutil.ts#L41 is supposed to do.

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 5
Comments: 17 (2 by maintainers)

Commits related to this issue

chore(deps-dev): bump @vercel/ncc from 0.24.1 to 0.25.1 (#87) Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.24.1 to 0.25.1. - [Release notes](https://github.com/vercel/ncc/releases) - [... — committed to deining/setup-node by dependabot[bot] 4 years ago

Most upvoted comments

I’m having a hard time believing that the registry line is not removed.

A config that will work both locally and in actions is to avoid specifying registry-url or scope in the with line, so that .npmrc is not modified, and use an explicit config in .npmrc.

@owner:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=$OWNER_TOKEN

Assign OWNER_TOKEN from ${{secrets.GITHUB_TOKEN}} in actions, and assign it from a PAT locally.

joebowbeer on Mar 1, 2020

Reopening because I’ve found the documentation that causes the bug in the first place: https://help.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-npm-for-use-with-github-packages#publishing-a-package-using-a-local-npmrc-file

It states to use, registry=https://npm.pkg.github.com/OWNER where as we should be using OWNER:registry=https://npm.pkg.github.com/. Perhaps the documentation should be updated?

rynz on Feb 27, 2020

Hello everyone. I’m going to close the issue because official GitHub documentation was updated. If you have any concerns feel free to ping us.

dmitry-shibanov on Dec 10, 2021

@joebowbeer This is my working .npmrc file

always-auth=true
registry=https://registry.npmjs.org/
_authToken=***
@wingspanhq:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=***

0xc0d3r on Mar 18, 2020

Your scoped registry should be defined as:

@rynz:registry=https://npm.pkg.github.com/

I think it is a bug that setup-node tries to remove registry. That is the default registry for non-scoped dependencies, which should be unrelated to your private packages.

I think setup-node should only be removing the lines that it is redefining.

joebowbeer on Mar 25, 2020

@bryanmacfarlane To avoid confusion, I think the doc needs improvement, as I wrote:

https://github.com/actions/setup-node/issues/87#issuecomment-593000328

Also, I expect setup-node has problems when the .npmrc already exists and contains registry entries. If not, the doc should better explain setup-node’s mods to pre-existing .npmrc

joebowbeer on Jun 30, 2020

@0xc0d3r great. I was going to suggest always-auth=true and a trailing slash at end of registry url…

joebowbeer on Mar 18, 2020

@0xc0d3r yes

joebowbeer on Mar 18, 2020