dependabot-azure-devops: Invalid auth configuration found error when an update is found in a private npm artifacts feed

Following the update to 1.20 our pipeline encounters the following error when an update is found,

npm ERR! code ERR_INVALID_AUTH npm ERR! Invalid auth configuration found: _auth must be renamed to //pkgs.dev.azure.com/our-org/_packaging/our-feed/npm/registry/:_auth in project config npm ERR! Please run npm config fix to repair your configuration.`

We previously had dockerImageTag set to 0.18 and this was working up until recently when the image per ecosystem update kicked in forcing us to update to 1.20 so I can’t be sure whether we would have encountered the same error with 0.19.

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Reactions: 4
  • Comments: 22 (6 by maintainers)

Most upvoted comments

We’re also seeing this problem after switching to 1.20+. In our configuration, we’re using Azure Artifacts as the only registry, with upstream feeds to npmjs et.al. Our .npmrc looks like:

registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/

always-auth=true

This also means that every package in package-lock.json will have the above registry as the resolved URL. From what I can deduce by looking at the npmrc_builder.rb file in dependabot-core, this means that this registry will be classified as a global registry, see: https://github.com/dependabot/dependabot-core/blob/f9754d41004cb5a507b3cd4920fbf48551f9aced/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb#L84

This in turn leads to this part of the code https://github.com/dependabot/dependabot-core/blob/f9754d41004cb5a507b3cd4920fbf48551f9aced/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb#L165 creating the following .npmrc :

registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/
_authToken=<token>
always-auth=true

This is a problem, because since NPM v8, all auth-related values need to be scoped, see: https://docs.npmjs.com/cli/v9/configuring-npm/npmrc?v=true#auth-related-configuration

A correct .npmrc needs to look like:

registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/
//pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/:_authToken=<token>
always-auth=true

My conclusion is that the problem lies in dependabot-core in that it no longer creates a compatible .npmrc for NPM > v8

I’ve created an issue there, let’s see what the response is: https://github.com/dependabot/dependabot-core/issues/7759

+5
rickardgranberg on Aug 8, 2023

@mburumaxwell I have the same issue the others have. I have meticulously followed your example and the examples in the documentation and none work - I get the error:

npm ERR! code ERR_INVALID_AUTH
npm ERR! Invalid auth configuration found: `_auth` must be renamed to `//pkgs.dev.azure.com/MyOrg/_packaging/MyProject/npm/registry/:_auth` in project config
npm ERR! Please run `npm config fix` to repair your configuration.`

I noticed one anomaly in your own config, you have: token: 'tingle:${{DEFAULT_TOKEN}}'

In the docs it specifically states:

When using a token the notation should be PAT:${{VARIABLE_NAME}}. Otherwise the wrong authentication mechanism is used by dependabot

How come tingle is working as a token prefix for you when it should be PAT? I’ve tried both our registry namespace and PAT but neither are working. Going to give the suggestion from pawelrakoczy a go now. UPDATE: The workaround from pawelrakoczy did not work for me. I have the same ERR_INVALID_AUTH issue

dependabot.azpipeline.yml:

trigger: none # Disable CI trigger

schedules:
- cron: '0 2 * * *' # daily at 2am UTC
  always: true # run even when there are no code changes
  branches:
    include:
      - master
  batch: true
  displayName: Daily at 2am

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

variables:
  MYORG_FEED_TOKEN: 'XXXXX'

steps:
- task: dependabot@1
#  Keeping below lines throws a different error: Dependabot::Clients::Azure::Unauthorized (Dependabot::Clients::Azure::Unauthorized)
#  inputs:
#    azureDevOpsAccessToken: '$(MYORG_FEED_TOKEN)'

/.github/dependabot.yml:

version: 2
registries:
  MyOrg:
    type: npm-registry
    # Have tried with and without the `https://` and with `//` prefixes, get same result every time
    url: https://pkgs.dev.azure.com/MYORG/_packaging/MYORG/npm/registry/    
    token: PAT:${{MYORG_FEED_TOKEN}}
updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - MyOrg
    target-branch: "master"
    schedule:
      interval: "daily"

/.npmrc:

@MyOrg:registry=https://pkgs.dev.azure.com/MyOrg/_packaging/MyOrg/npm/registry/ 
registry=https://pkgs.dev.azure.com/MyOrg/_packaging/MyOrg/npm/registry/
always-auth=true
engine-strict=true
tag-version-prefix=""
+1
thegoatherder on Sep 6, 2023
Read more comments on GitHub
← dependabot-azure-devops: Dependabot yml config ignore (nuget) doesn't work
playground: Can't complete `docker_compose` quickstart guide →