pnpm: Can't Install Private GitLab Packages

We had success by editing our .npmrc inside our projects like this:

# With pnpm v7:
@my-custom-scope:registry=https://gitlab.my-enterprise.com/api/v4/packages/npm/
# With pnpm v8+:
@my-custom-scope:registry=https://gitlab.my-enterprise.com/api/v4/

You can notice the segment packages/npm/ has been removed from the URL. The same thing has been done for our ~/.npmrc which contains an auth token to access the private registry from our local machines:

# PNPM 7
//gitlab.my-enterprise.com/api/v4/packages/npm/:_authToken=<TOKEN>
# PNPM 8+
//gitlab.my-enterprise.com/api/v4/:_authToken=<TOKEN>

To make sure this works well, delete your pnpm store cache & node_modules, upgrade to pnpm v8+ with Node.js 18 or 20 and re-install modules with pnpm i (note: do not upgrade to Node 20).

Please note that the new URL scheme isn’t backward compatible with previous versions of pnpm, you’ll need to edit your .npmrc again if you’re switching to an old version.

Disclaimer

I want to explicitly point-out that this change hasn’t been documented anywhere. It has been found by pure luck when randomly editing .npmrc.

We are currently switching back to npm in our company due to the lack of support from pnpm on obscure issues like this one.

It looks like pnpm is a great choice for small projects, but for an enterprise project I cannot recommend anymore pnpm due to the extreme lack of support of basic features that are already supported by npm itself.

hasn’t been documented anywhere

On this gitlab documentation page, they say to only use the domain name to set the token if you are using npm > 7. So this actually is documented somewhere, and it’s seems to be a npm version issue, not a pnpm issue.

So, to sum up:

The official way to resolve this problem is to use this format when setting your token:

pnpm config set -- //gitlab.com/:_authToken YOURTOKEN

I’m going to add my experience to this discussion:

• Using Instance-level registry setup did not work and resulted in ERR_PNPM_FETCH_404
• Using Project-level registry setup did work

i.e.: Project-level .npmrc:
@yourscope:registry=https://yourgitlab.com/api/v4/projects/<projectid>/packages/npm/

Instance-level .npmrc:
@yourscope:registry=https://yourgitlab.com/api/v4/packages/npm/

And the corresponding _authToken.

For us this is fine since we only use one package for now, but would be nice to have support for Instance-level as well.
(works with npm with both btw)

Interesting, one of the reasons I moved to pnpm was because it works better than npm with the private gitlab npm registries.

Adding //gitlab.mydomain/api/v4/projects/905/packages/npm/:_authToken'=${GITLAB_AUTH_TOKEN} to .npmrc doesn’t improve things?

This workaround does seem to work. As @Haschtl mentioned, it has the downside that I have to add this line for each registry I want to fetch packages from, rather than the one line I can fetch from all registries from, but I could work with it. Though it’s quite odd that it fails to authenticate when accessing the registry using the instance level, but not the project level.

Interesting, one of the reasons I moved to pnpm was because it works better than npm with the private gitlab npm registries.

Adding //gitlab.mydomain/api/v4/projects/905/packages/npm/:_authToken'=${GITLAB_AUTH_TOKEN} to .npmrc doesn’t improve things?

This works for me, but I would call it a workaround. Consider a project which uses many packages from this registry. You then need to add this line for each project and you have to lookup the projectId (905) of each repo.

Interesting that this was one reason for you to switch to pnpm - I never had problems with npm and my self-hosted gitlab instance.

Same issue here. We use a self-hosted gitlab instance and wanted to migrate to pnpm for the improvements it offers.

package.json:

"devDependencies": {
    "@myscope/my-pkg": "^3.0.3",
  },

.npmrc:

@myscope:registry=https://gitlab.mydomain/api/v4/packages/npm/
'//gitlab.mydomain/api/v4/packages/npm/:_authToken'="${GITLAB_AUTH_TOKEN}"

Log:

 WARN  GET https://gitlab.mydomain/api/v4/projects/905/packages/npm/@myscope/mypkg/-/@myscope/mypkg-3.0.3.tgz error (ERR_PNPM_FETCH_404). Will retry in 1 minute. 1 retries left.
 ERR_PNPM_FETCH_404  GET https://gitlab.mydomain/api/v4/projects/905/packages/npm/@myscope/mypkg/-/@myscope/mypkg-3.0.3.tgz: Not Found - 404

No authorization header was set for the request.

Opening the link directly in the browser does download the package though. Everything works fine with npm.

I haven’t had a deep dive yet but can you try something for me while I finish off work related tasks?

You have this repo/project (https://gitlab.com/eisste-playground/reproduce-pnpm-install-private-package-error) where you published the NPM package too, this one has the project id 41694919.

Can you update your NPM config in the project [2] that consumes this package from the other repo so you explicitly list the project with package? And let me know how it goes? E.g. pnpm config set -- //gitlab.com/api/v4/projects/41694919/packages/npm/:_authToken=YOUR_PERSONAL_ACCESS_TOKEN

Or maybe try if adding a .npmrc with the following works for you (replace PAT 😉):

//gitlab.com/api/v4/packages/npm/:_authToken=YOUR_PERSONAL_ACCESS_TOKEN
//gitlab.com/api/v4/projects/41694919/packages/npm/:_authToken=YOUR_PERSONAL_ACCESS_TOKEN
//gitlab.com/api/v4/packages/npm/:always-auth=true
@YOUR_SCOPE:registry=https://gitlab.com/api/v4/packages/npm/

I have the feeling you are hitting the same issue I am having with npm [3] in the ticket they say it’s only related to CI_JOB_TOKEN but also seen it happen with my PAT and npm v8

[2] https://gitlab.com/eisste-playground/reproduce-pnpm-install-private-package-error-install-from-other-project [3] https://gitlab.com/gitlab-org/gitlab/-/issues/352962 (issue raised based on my support ticket)