Invalid auth configuration found error when an update is found in a private npm artifacts feed
Closed this issue ยท 24 comments
Following the update to 1.20 our pipeline encounters the following error when an update is found,
npm ERR! code ERR_INVALID_AUTH
npm ERR! Invalid auth configuration found: _auth must be renamed to //pkgs.dev.azure.com/our-org/_packaging/our-feed/npm/registry/:_auth in project config
npm ERR! Please run npm config fix to repair your configuration.`
We previously had dockerImageTag set to 0.18 and this was working up until recently when the image per ecosystem update kicked in forcing us to update to 1.20 so I can't be sure whether we would have encountered the same error with 0.19.
W have the same since 1.20 update (currently using 1.20.531)
It was working fine when using 1.19.520
With the change to image per ecosystem, there are months worth of changes in the internal helpers that dependabot-core uses. Some new ones, some changed ones.
I am not in a position to find and list them then find which one might affect you.
Our own setup with private feeds seems to be working just fine.
Thought it might be time consuming, I would suggest that you create a minimal setup to test and find out where the issue might be.
We are facing this same issue since the 1.20 update.
version: 2
registries:
npm-npmjs:
type: npm-registry
url: https://pkgs.dev.azure.com/<organisation>/<project>/_packaging/<feedname>/npm/registry/
token: PAT:${{ACCESS_TOKEN}}I'm unable to reproduce this. My internal packages get updated by dependabot just fine.
@mburumaxwell could you please share more details of your own setup? E.g.
- do you have a .npmrc and what are its contents?
- how do you pass credentials to dependabot-updater-npm
- which env variables / parameters are set?
We're also seeing this problem after switching to 1.20+.
In our configuration, we're using Azure Artifacts as the only registry, with upstream feeds to npmjs et.al.
Our .npmrc looks like:
registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/
always-auth=true
This also means that every package in package-lock.json will have the above registry as the resolved URL.
From what I can deduce by looking at the npmrc_builder.rb file in dependabot-core, this means that this registry will be classified as a global registry, see: https://github.com/dependabot/dependabot-core/blob/f9754d41004cb5a507b3cd4920fbf48551f9aced/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb#L84
This in turn leads to this part of the code https://github.com/dependabot/dependabot-core/blob/f9754d41004cb5a507b3cd4920fbf48551f9aced/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb#L165 creating the following .npmrc :
registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/
_authToken=<token>
always-auth=true
This is a problem, because since NPM v8, all auth-related values need to be scoped, see: https://docs.npmjs.com/cli/v9/configuring-npm/npmrc?v=true#auth-related-configuration
A correct .npmrc needs to look like:
registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/
//pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/:_authToken=<token>
always-auth=true
My conclusion is that the problem lies in dependabot-core in that it no longer creates a compatible .npmrc for NPM > v8
I've created an issue there, let's see what the response is: dependabot/dependabot-core#7759
Here's what the .npmrc file looks like
@tingle:registry=https://pkgs.dev.azure.com/tingle/_packaging/tingle/npm/registry/
always-auth=true
Here's what the .github/dependabot.yml looks like
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "docker" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "weekly"
time: "03:00"
open-pull-requests-limit: 10
- package-ecosystem: "npm" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "daily"
time: "03:00"
open-pull-requests-limit: 10
ignore:
- dependency-name: "*mdast*"
update-types: ["version-update:semver-major"]
- dependency-name: "unist-util-visit"
update-types: ["version-update:semver-major"]
registries:
tingle:
type: npm-registry
url: 'https://pkgs.dev.azure.com/tingle/_packaging/tingle/npm/registry/'
token: 'tingle:${{DEFAULT_TOKEN}}'We use the server component to run across the repositories but here's what the pipeline would look like:
pool:
vmImage: "ubuntu-latest"
variables:
# DEFAULT_TOKEN: 'zzzzzzz'
steps:
- task: dependabot@1
displayName: Dependabot
inputs:
failOnException: false
setAutoComplete: true
gitHubAccessToken: 'ggggggg'
azureDevOpsAccessToken: '$(DEFAULT_TOKEN)'The repository has a package-lock.json file with version 2 that is generated using node v18.16.0 and npm 9.5.1
No more setup work is required.
I finally managed to get this working for me.
In my case it helped to edit the .npmrc file in the project repo:
non-working .npmrc:
@removed:registry=https://node.bit.cloud
registry=https://pkgs.dev.azure.com/Org_removed/Project_removed/_packaging/project_removed/npm/registry/
always-auth=true
working .npmrc:
@removed:registry=https://node.bit.cloud
@npm-devops:registry=https://pkgs.dev.azure.com/Org_removed/Project_removed/_packaging/project_removed/npm/registry/
registry=https://pkgs.dev.azure.com/Org_removed/Project_removed/_packaging/project_removed/npm/registry/
always-auth=true
npm-devops needs to be the same as the name of your registry in dependabot.yml:
version: 2
registries:
npm-devops:
type: npm-registry
url: 'pkgs.dev.azure.com/Org_removed/Project_removed/_packaging/project_removed/npm/registry/'
token: 'PAT:${{FEEDACCESSTOKEN}}'
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-devops
target-branch: "develop"
schedule:
interval: "daily"
of course you need to replace the 'removed' parts with your stuff
Hope that this would work for you as well!
thanks @mburumaxwell for your sample files, they helped me with narrowing down what might be the issue!
Is there any way to get this working without needing to ask all our developers to add a redundant line into their npmrc file?
@pawelrakoczy it looks like you're essentially just duplicating your normal registry line and calling it @npm-devops:registry purely so that dependabot is able to put the credentials there?
In all of our .npmrc files we have registry for third-party packages (i.e. the default registry) and then @custom:registry for our internal packages only, so we really do not want to add an extra prefixed entry just to make the creds work.
I haven't needed to change my .npmrcfile to accommodate for dependabot. If your setup does installation in the pipelines without extra work like token replacement, then it'll work with this extension when you follow the sample I showed above.
I haven't needed to change my
.npmrcfile to accommodate for dependabot. If your setup does installation in the pipelines without extra work like token replacement, then it'll work with this extension when you follow the sample I showed above.
This is not entirely true. It is true for your example, where you have a scoped registry (@tingle in your case). It does not work if you only have a global registry, please see my comment: #729 (comment)
Same issue here.
@mburumaxwell I have the same issue the others have. I have meticulously followed your example and the examples in the documentation and none work - I get the error:
npm ERR! code ERR_INVALID_AUTH
npm ERR! Invalid auth configuration found: `_auth` must be renamed to `//pkgs.dev.azure.com/MyOrg/_packaging/MyProject/npm/registry/:_auth` in project config
npm ERR! Please run `npm config fix` to repair your configuration.`
I noticed one anomaly in your own config, you have:
token: 'tingle:${{DEFAULT_TOKEN}}'
In the docs it specifically states:
When using a token the notation should be
PAT:${{VARIABLE_NAME}}. Otherwise the wrong authentication mechanism is used by dependabot
How come tingle is working as a token prefix for you when it should be PAT?
I've tried both our registry namespace and PAT but neither are working.
Going to give the suggestion from pawelrakoczy a go now.
UPDATE:
The workaround from pawelrakoczy did not work for me. I have the same ERR_INVALID_AUTH issue
dependabot.azpipeline.yml:
trigger: none # Disable CI trigger
schedules:
- cron: '0 2 * * *' # daily at 2am UTC
always: true # run even when there are no code changes
branches:
include:
- master
batch: true
displayName: Daily at 2am
pool:
vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)
variables:
MYORG_FEED_TOKEN: 'XXXXX'
steps:
- task: dependabot@1
# Keeping below lines throws a different error: Dependabot::Clients::Azure::Unauthorized (Dependabot::Clients::Azure::Unauthorized)
# inputs:
# azureDevOpsAccessToken: '$(MYORG_FEED_TOKEN)'/.github/dependabot.yml:
version: 2
registries:
MyOrg:
type: npm-registry
# Have tried with and without the `https://` and with `//` prefixes, get same result every time
url: https://pkgs.dev.azure.com/MYORG/_packaging/MYORG/npm/registry/
token: PAT:${{MYORG_FEED_TOKEN}}
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- MyOrg
target-branch: "master"
schedule:
interval: "daily"/.npmrc:
@MyOrg:registry=https://pkgs.dev.azure.com/MyOrg/_packaging/MyOrg/npm/registry/
registry=https://pkgs.dev.azure.com/MyOrg/_packaging/MyOrg/npm/registry/
always-auth=true
engine-strict=true
tag-version-prefix=""
The workaround from @pawelrakoczy works for me. ๐
(adding extra line in npmrc with the scope and using the same name in dependabot.yml)
I'm using both a private registry in AzDO (without upstream) and the public npm registry.
I had this workaround form @pawelrakoczy unintentionally already in the configuration (Well partly):
legacy-peer-deps=true
registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<artifacts>/npm/registry/
@something:registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<artifacts>/npm/registry/
always-auth=true
and the dependabot.yml:
version: 2
registries:
othername:
type: npm-registry
url: https://pkgs.dev.azure.com/<org>/<project>/_packaging/<artifacts>/npm/registry/
token: PAT:${{PAT}}
updates:
- package-ecosystem: "npm"
directory: "/app"
schedule:
interval: "daily"
open-pull-requests-limit: 50
registries:
- othername
Notice the difference in something and othername everything worked fine Thursday (28 sept) and stopped working Friday (29 sept) same version of the dependabot image:
Unable to find image 'ghcr.io/tinglesoftware/dependabot-updater-npm:1.21' locally
1.21: Pulling from tinglesoftware/dependabot-updater-npm
So I today changed the othername in the dependabot.yml to something but it is not helping. Any idea how to fix this?
The 1.21 tag was temporarily removed on 28th/29th but it was restored same day. This should be working today.
The version is 'working' I just get this auth bug since Friday, while the same version was working Thursday (and before.
Any idea how I can get this working again? it is not working for a week now and I have no idea how to solve this issue
We are unfortunatly also blocked in automating our npm dependency update process due to this issue.
I have the same problem
Same issue here...
Still can't reproduce this. I suspect it could be a scope issue.
Can someone try reproduce the issue on the hosted GitHub version:
- Clone the repository to GitHub
- Add an AzDO PAT for accessing Azure Artifacts, in the dependabot secrets for the repository
- Update the
tokenindependabot.ymlto use the secret
In my case:
- token: 'tingle:${{DEFAULT_TOKEN}}'
+ token: 'tingle:${{secrets.AZURE_DEVOPS_TOKEN}}'For me it is suddenly working again (Since 4 january 2024)
Closing this. Everything on the authentication behavior for private feeds/registries can either be controlled with the credentials provided or be fixed at https://github.com/dependabot/dependabot-core. This extension transfers the structure of the authentication details as is after replacing tokens.