lerna: Lerna doesn't work with NPM automation tokens
When I properly set up npm credentials inside of GitHub Actions, and use an npm automation token (which normally supports write actions), lerna fails when verifying npm auth, even though npm is properly authenticated for publishing:
$ lerna publish patch
....
lerna info Verifying npm credentials
lerna http fetch GET 403 https://registry.npmjs.org/-/npm/v1/user 241ms
403 Forbidden - GET https://registry.npmjs.org/-/npm/v1/user
lerna ERR! EWHOAMI Authentication error. Use `npm whoami` to troubleshoot.
When I switch to a read-write npm token (with OTP turned off), lerna works fine.
It appears lerna does not support npm automation tokens. It would be nice if it did, that way people won’t be inclined to turn off OTP on their human tokens.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 55
- Comments: 15 (5 by maintainers)
Commits related to this issue
- chore(lerna publish): add --no-verify-access flag Lerna's call to `npm whoami` when publishing fails for automation tokens See https://github.com/lerna/lerna/issues/2788 This is an attempt at a sugge... — committed to jrhender/ew-did-registry by jrhender 3 years ago
- chore: fix rc publishing Lerna doesn't work with npm automation tokens out of the box, need to disable auth verification for the time being. Refs: https://github.com/lerna/lerna/issues/2788 — committed to ipfs/js-ipfs-unixfs by achingbrain 3 years ago
- chore: fix rc publishing (#119) Lerna doesn't work with npm automation tokens out of the box, need to disable auth verification for the time being. Refs: https://github.com/lerna/lerna/issues/278... — committed to ipfs/js-ipfs-unixfs by achingbrain 3 years ago
- chore: fix rc publishing Lerna doesn't work with npm automation tokens out of the box, need to disable auth verification for the time being. Refs: https://github.com/lerna/lerna/issues/2788 — committed to ipfs/js-ipfs by achingbrain 3 years ago
- chore: fix rc publishing (#3561) Lerna doesn't work with npm automation tokens out of the box, need to disable auth verification for the time being. Refs: https://github.com/lerna/lerna/issues/27... — committed to ipfs/js-ipfs by achingbrain 3 years ago
- chore: do not verify npm access before publishing The `npm/v1/user` endpoint is not accessible for npm automation tokens and since we are using an automation token, we need to disable the lerna acces... — committed to xing/hops by ZauberNerd 3 years ago
- chore: do not verify npm access before publishing The `npm/v1/user` endpoint is not accessible for npm automation tokens and since we are using an automation token, we need to disable the lerna acces... — committed to xing/hops by ZauberNerd 3 years ago
- chore: do not verify npm access before publishing The `npm/v1/user` endpoint is not accessible for npm automation tokens and since we are using an automation token, we need to disable the lerna acces... — committed to xing/hops by ZauberNerd 3 years ago
- chore: do not verify npm access before publishing The `npm/v1/user` endpoint is not accessible for npm automation tokens and since we are using an automation token, we need to disable the lerna acces... — committed to xing/hops by ZauberNerd 3 years ago
- make lerna work with automation token references https://github.com/lerna/lerna/issues/2788 — committed to CovOpen/CovQuestions by DanielHabenicht 3 years ago
- ci: add no-verify-access https://github.com/lerna/lerna/issues/2788 — committed to trieb-work/config by chronark 3 years ago
- ci: allow lerna publish with npm automation token see https://github.com/lerna/lerna/issues/2788 for more info — committed to iartemiev/amplify-js by iartemiev 3 years ago
- ci: allow lerna publish with npm automation token (#8021) see https://github.com/lerna/lerna/issues/2788 for more info — committed to aws-amplify/amplify-js by iartemiev 3 years ago
- fix(cli): add --no-verify-access to lerna publish (#7038) Refs: https://github.com/lerna/lerna/issues/2788 Co-authored-by: Colin Ihrig <colihrig@amazon.com> — committed to aws-amplify/amplify-cli by cjihrig 3 years ago
- fix(cli): add --no-verify-access to lerna publish (#7038) Refs: https://github.com/lerna/lerna/issues/2788 Co-authored-by: Colin Ihrig <colihrig@amazon.com> — committed to aws-amplify/amplify-cli by cjihrig 3 years ago
- Update package.json added `--no-verify-access` flag per this thread: https://github.com/lerna/lerna/issues/2788 — committed to w3c-ccg/universal-wallet-interop-spec by kimdhamilton 3 years ago
- chore(ci): publish with --no-verify-access see https://github.com/lerna/lerna/issues/2788 — committed to vuetifyjs/vuetify by KaelWD 3 years ago
- ci: fix lerna npm publish caused by new npm_token => automation which can't be used by lerna to test authentication https://github.com/lerna/lerna/issues/2788 — committed to unik-name/unn-core by deleted user 3 years ago
- ci: fix lerna npm publish caused by new npm_token => automation which can't be used by lerna to test authentication https://github.com/lerna/lerna/issues/2788 — committed to unik-name/unn-core by deleted user 3 years ago
- chore(ci): publish with --no-verify-access see https://github.com/lerna/lerna/issues/2788 — committed to kapost/vuetify by KaelWD 3 years ago
Using https://github.com/lerna/lerna/tree/main/commands/publish#--no-verify-access may fix this. Automation tokens don’t have permission to access the endpoint lerna uses to verify permission.
As a longer-term fix, this should be documented or the
/-/whoamiendpoint should be used which can be accessed by automation tokens.TL;DR - automation tokens will just work as expected in 5.2.0 of lerna and later
Hi folks, we just released
5.2.0of lerna: https://github.com/lerna/lerna/releases/tag/v5.2.0Amongst other things, in this version we set the legacy
verifyAccessbehavior to be false by default. It will still respect if you set it to be true explicitly.Essentially, prior to
5.2.0lerna would, by default, make some preemptive API calls to npm using the token you provide to try and “fast fail” for auth concerns. This approach made sense when it was implemented, but there are now multiple types of tokens supported by npm (and perhaps more in the future), and they have different access rights. That’s what made the previous behavior break for automation tokens, and was the underlying cause of this issue.Given that the npm API requests will fail with appropriate auth errors as part of the publishing process anyway, and that it is not something which scales to all token types, we took the decision to invert the
verifyAccesslogic and only enable when a user explicitly wants it.Hope that all makes sense, this issue can now be marked as resolved!
This issue thread was a real life saver - I’ve just struggled with publishing the @frsource/tiny-carousel packages for two days before finding this gold. To make life easier for the future travellers, I’ve patched a PR adding the necessary info about handling of npm automation tokens - #2825. Hope it will save some time for the others 😄
Feel free to comment/post suggestions in the PR, or just react with 👍 if agree that it should be merged.
This also happened recently for us, we scratched our heads for a while before we suspected it was the
npm/v1/userendpoint that was failing. We were also using an automation token which seems to correlate with what’s in this issueadding
--no-verify-accessto bypass that check works, and if the token doesn’t have publish permissions then you get the default 404 npm error.Yep, it would be great if the docs can explain that Lerna doesn’t support automation npm token 🙏
Now that Nrwl has taken over stewardship we are going to take a look into this issue!
As was already mentioned in the comments here, you can use
"verifyAccess": falsein your lerna.json publish config, or pass--no-verify-accessto thelerna publishcommand to get it to skip the auth validation step, which unblocks this issue for now.It is likely that the logic which validates the npm auth piece just needs to be expanded/fixed and as mentioned we will look into that very soon as we also want to address the highly related: https://github.com/lerna/lerna/issues/2730
I was surprised there were no other issues (that I could locate) about this, since they have been out for a while. My feeling is that lerna uses the token to do reads about the user and the automation token only supports writes? Just a guess though.