lerna: `lerna publish` unable to authenticate with Artifactory

We’re trying to run lerna publish in Jenkins. We’re using private Artifactory and configuring the auth via .npmrc file. lerna publish fails to authenticate successfully.

Expected Behavior

Using the same .npmrc file we’re able to successfully run yarn publish after building the packages separately, so we’d expect Lerna to be able to do the same.

if Lerna requires different configuration in order to authenticate with private npm registries like Artifactory it would be useful for that to be documented
if Lerna doesn’t support auth via the .npmrc file it would be nice for it to do so or to offer some alternative

Current Behavior

When running lerna publish we get:

...
14:29:46  lerna info publish Publishing packages to npm...
14:29:46  lerna notice Skipping all user and access validation due to third-party registry
14:29:46  lerna notice Make sure you're authenticated properly ¯\_(ツ)_/¯
14:29:48  lerna http fetch PUT 401 https://artifactory.???/api/npm/???/??? 2819ms
14:29:48  lerna ERR! E401 Unable to authenticate, need: Basic realm="Artifactory Realm"
14:29:48  error Command failed with exit code 1.

Possible Solution

support auth via .npmrc file

Steps to Reproduce (for bugs)

.npmrc file looks like this:

@???:registry=https://artifactory.???.???.net/api/npm/???/
//artifactory.???.???.net/api/npm/???/:_password=${ARTIFACTORY_TOKEN}
//artifactory.???.???.net/api/npm/???/:username=???
//artifactory.???.???.net/api/npm/???/:email=???@???.com
//artifactory.???.???.net/api/npm/???/:always-auth=true

and we run the command lerna publish

lerna.json

{
  "packages": ["packages/*"],
  "version": "independent",
  "npmClient": "yarn",
  "useWorkspaces": true,
  "command": {
    "publish": {
      "conventionalCommits": true,
      "yes": true,
      "message": "chore(release): publish",
      "exact": true
    }
  }
}

Context

At the moment we’re doing a hacky workaround to publish our packages by running:

lerna version to get the versions bumps required
yarn lerna run to build the new packages
publish with yarn publish

Overall it feels like we’re unable to use Lerna as it was intended

Your Environment

Running the build in Jenkins in a Debian stretch docker container

Executable	Version
`lerna --version`	v3.22.1
`npm --version`	6.14.5
`yarn --version`	1.22.4
`node --version`	v12.18.1

OS	Version
Debian	GNU/Linux 9 (stretch)

About this issue

Original URL
State: open
Created 4 years ago
Reactions: 28
Comments: 25 (2 by maintainers)

Most upvoted comments

So is there a fix coming for v4.x? Don’t think it’s tenable to have people on prior major versions in the long term.

+21

wldcordeiro on Sep 30, 2021

I had to downgrade to @3.22.0 in order to have it working. Other options did not help. 4.0.0 is not stable.

+15

saulske on Jun 22, 2021

In my case, with the ~/.npmrc below, lerna publish works well in lerna 3.22.0:

_auth=ABCDEFGHIJKLMN...opqrstuvwxyz0123456789==
always-auth = false

email=ci-user@example.com
registry=https://artifactory.example.com/api/npm/private-npm

but fails in lerna 4.0.0, with the following 403 error:

lerna http fetch PUT 403 https://artifactory.example.com/api/npm/private-npm/@example%2fprivate-pkg 4450ms
lerna sill HttpErrorGeneral: 403 Forbidden - PUT https://artifactory.example.com/api/npm/private-npm/@example%2fprivate-pkg - forbidden
lerna sill     at .../node_modules/npm-registry-fetch/check-response.js:134:15
lerna sill     at async publish (.../node_modules/libnpmpublish/publish.js:43:12)
...
lerna sill     at async run (...node_modules/p-queue/dist/index.js:163:29) {
lerna sill   headers: [Object: null prototype] { ... },
lerna sill   statusCode: 403,
lerna sill   code: 'E403',
lerna sill   method: 'PUT',
lerna sill   uri: 'https://artifactory.example.com/api/npm/private-npm/@example%2fprivate-pkg',
lerna sill   body: {
lerna sill     error: 'forbidden',
lerna sill     reason: "Cannot deploy to '@example/private-pkg/-/@example/private-pkg-1.0.0.tgz"
lerna sill   },
lerna sill   pkgid: '@example/private-pkg@1.0.0'
lerna sill }
lerna ERR! E403 forbidden

Prepending registry URL prefix to _auth solves the issue:

//artifactory.example.com/api/npm/private-npm/:_auth=ABCDEFGHIJKLMN...opqrstuvwxyz0123456789==
always-auth = false

email=ci-user@example.com
registry=https://artifactory.example.com/api/npm/private-npm

+11

evisong on May 17, 2021

As we have two repos in our Artifactory registry (one which acts as installer source and one for publishing) the solution by @evisong was leading me into the right direction. We had to prefix the _auth with the repo from where we install our packages and additionally add registry and _auth for the publishing part:

registry=https://artifactory.example.com/api/npm/reading-repo
_auth = ABCDEFGHIJKLMN...opqrstuvwxyz0123456789==
//artifactory.example.com/api/npm/publishing-repo/:_auth = ABCDEFGHIJKLMN...opqrstuvwxyz0123456789==
email = ci-user@example.com
always-auth = true

mecograph on Jun 23, 2021

Now that Nrwl has taken over stewardship we are going to take a look into this issue!

In the meantime, as was hit upon but not explicitly called out here: https://github.com/lerna/lerna/issues/2730#issuecomment-764733233

…you can use "verifyAccess": false in your lerna.json publish config, or pass --no-verify-access to the lerna publish command to get it to skip the auth validation step, which I think should unblock at lot of folks on this thread.

It is likely that the logic which validates the npm auth piece just needs to be expanded/fixed and as mentioned we will look into that very soon as we also want to address the highly related: https://github.com/lerna/lerna/issues/2788

JamesHenry on Jul 4, 2022

Because of this unsolved issue, i migrated to turborepo + changesets.

sebaplaza on Nov 21, 2022

also had to revert. is lerna still being maintained? is there a fix coming for v4?

MiguelSOliveira on Mar 18, 2022

{
	"version": "independent",
	"packages": [
	  "packages/*"
	],
	"command": {
	  "add": {
		"registry": "https://hostname/artifactory/api/npm/npm-repo"
	  },
	  "create": {
		"registry": "https://hostname/artifactory/api/npm/npm-repo",
		"access": "restricted"
	  },
	  "publish": {
		"registry": "https://hostname/artifactory/api/npm/npm-repo",
		"verifyAccess": false,
		"ignoreChanges": [
		  "*.md",
		  "*/test/*"
		]
	  }
	}
  }

Hope this helps!

deepankarmalhan on Jan 21, 2021

I just tried Lerna 6.4.1 and still get:

lerna ERR! E403 forbidden

What can we do to get this fixed? We are stuck with lerna v3 and cannot update.

rbirkgit on Jan 27, 2023

@JamesHenry This issue remains for all of us that are stuck on corporate and private repos. It makes lerna essentially unusable. I have to believe this is a priority.

dptoot on Jan 1, 2023

Is this still an open issue? I’m experiencing a similar issue (authenticating with artifactory registry on Jenkins) and haven’t found a workaround. Downgrading lerna or using the no verify access flag haven’t helped.

jackfarzan on Nov 21, 2022

I encountered this issue upon upgrading from Lerna 3.22 to 4.0. The lerna publish command would error with a 401. What worked for me was having both a “regular” _auth in the npm config and another prepended with the registry URL as @evisong first recommended:

npm config set registry https://artifactory.example.com/api/npm/private-npm
npm config set _auth ABCDEFGHIJKLMN...opqrstuvwxyz0123456789==
npm config set //artifactory.example.com/api/npm/private-npm/:_auth ABCDEFGHIJKLMN...opqrstuvwxyz0123456789==
npm config set always-auth true

peterlawless on May 10, 2022