[FEATURE] npm authentication
Closed this issue · 3 comments
What / Why
We use pacote
to check the latest
tag version on NPM to let people know if they are running an old version of our packages (https://www.grouparoo.com/docs/support/upgrading-grouparoo#determining-if-there-are-updates). Everything works fine for public NPM packages, but we cannot check on private packages. It would be great if there was a way to use local or user-level NPM authentication tokens from .npmrc
files with pacote to check on these private packages.
When
Every time the manifest for a private package is checked
Where
Both programmatically and on the CLI:
# public package
pacote manifest @grouparoo/core | jq .version
"0.2.12"
# Private package (it's ok, we announce this package exists)
pacote manifest @grouparoo/ui-enterprise | jq .version
HttpErrorGeneral: 404 Not Found - GET https://registry.npmjs.org/@grouparoo%2fui-enterprise - Not found
How
...
Current Behavior
Expected Behavior
Maybe something like this:
import pacote from "pacote";
const manifest: { name: string; version: string } = await pacote.manifest(
`${plugin.name}@${tag}`,
{ _authToken: 'abc123' }
);
Who
Everyone!
References
nope.
Hello @evantahler
There is a token option to authenticate the request (it take an npm access token). For CLI however i don't know.
We ran into the same 404 issue after updating our dependencies and discovering newer supposedly semver-compliant pacote builds 404 and older builds do not.
npm-registry-fetch 10.0.0 introduced breaking changes around auth scopes, and these breaking changes were brought over to pacote between 11.3.1 and 11.3.2.
A top level
_auth
,_authToken
,username
,_password
, or
password
option is no longer respected if not scoped to a given
registry URL.
We have hacked around it by changing eg.:
const opts = { token: process.env.NPM_AUTH_TOKEN }
to
const opts = { "//registry.npmjs.org/:_authToken": process.env.NPM_AUTH_TOKEN }
the scoped auth config is the solution here. it is not safe to pass the same auth token to every host.