-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] NPM v7 uses SSH instead of an explicit HTTPS for GitHub repos #2610
Comments
Can you try with npm v7.5.2? I think this has already been fixed. |
Just tried with exactly same results. $ npm --version
7.5.2
|
Just to point it out explicitly:
I don't know if the bug is specific to GitHub: adding I hope I explained the problem better now. Please do not hesitate to ask, if something is left unclear. |
It came to my attention that this is a documented behavior that breaks private repositories and environments without
Clearly this is not correct and should be fixed. |
This is a breaking change in npm v7 and prevents anyone using even public packages without ssh keys. We have made a fork of an npm package and host it as a public repo. We refer to it using a We don't want to add ssh keys to our CI pipeline just to fetch public packages, so I don't see any way we can upgrade. I'd be glad to hear of any workaround. Specific example: In package.json referring to https://github.com/Vincit/winston-azure-transport:
Diff of package-lock.json between npm v6 and v7: "winston-azure-transport": {
- "version": "github:Vincit/winston-azure-transport#ed07d0685ca601638ab8ebcf660128848dd30215",
- "from": "github:Vincit/winston-azure-transport#ed07d0685ca601638ab8ebcf660128848dd30215",```
+ "version": "git+ssh://git@github.com/Vincit/winston-azure-transport.git#ed07d0685ca601638ab8ebcf660128848dd30215",
+ "from": "winston-azure-transport@github:Vincit/winston-azure-transport#ed07d0685ca601638ab8ebcf660128848dd30215", Our CI now fails with:
|
This is tricky. We currently keep the https url if auth is set in the url, because presumably you need that auth to access the repo. The tricky bit is that using https without auth in the url will trigger a prompt to enter a username and password on the command line, which will fail (or at least be confusing and strange) in many cases where an install with ssh would work fine. If the repo is public, and a git sha is specified in the spec that we're fetching, then we never hit it via git at all; npm will just fetch the tarball from the appropriate CDN url for the known host. However, if you do not have a git sha in the spec (typically, because there's no lockfile present), then we will have to do a Perhaps an approach that both works in build scenarios without ssh keys and for dev machines where ssh keys are present, while minimizing the scenarios where we need to prompt for a username/password for basic auth, would be to do the following for resolving any known-host git spec:
Maybe we could also add a config to tell npm which git interaction to prefer, thus swapping the order of (3) and (4) above? |
Having an all repo config is probably not the best idea, as packages come in all shapes and forms. |
This is only relevant when pulling packages from known hosts like GitHub or GitLab, where the "shape and size" is fairly well understood. The difference is in the current environment capabilities. Ie, can it use ssh? should it fail if it can't get the repo via git+https, or should it fall back to ssh? should it use https first, or ssh first? These are all system-specific, not dependency- or repo-specific. |
Could these decisions be left for a developer, who provides explicit dependencies? Like if a URL starts with |
Having well-known hosts is admirable, as long as it is transparent, yet it smells like magic — an extra-bandwidth knowledge, which makes the system behave differently on unexpected factors. In my experience, it is a major source of support incidents and perceived bugs even when everything works fine. |
this magic is unacceptable, there are no two ways about it. Do what you want with a |
This comment was marked as spam.
This comment was marked as spam.
There is the exact same issue on yarn 1.X, and it's solved the same way, by adding the "git@" in the URL. |
The git@github.com solution doesn't work for private repositories, because it will actually attempt to authenticate with the "git" user. We would actually need to put in our own dev account username in there to make this approach work, which is 100% not feasible. Tested on the latest version of npm -- 9.8.1 -- and haven't upgraded past v6 because of this nonsense. EDIT: because a fix for this doesn't look like this is coming any time soon and the last vresion where this works is out of support, have added this bash workaround and used where needed:
|
I just encountered this behaviour too, to my big surprise, and wasted 1 day figuring it out. At least on Github, private repos are also available through CDN, if you bearer token is set, but currently NPM doesn't provide an option to set HTTP auth header bearer token for the CDN. You can hardcode a token into dependency URL, but this is no go approach. |
To avoid npm/cli#2610
Depends on the use case but this helped me in CI pipeline (github app token as GH_TOKEN env var is used for authentication but PAT should work too):
Redirecting output to /dev/null helps to avoid error if section doesn't exist. |
Is there any workaround for private repos? This use case is 1000% broken. Other than using an ancient version of npm? I can't believe this has been broken for +2 years at this point. |
Disable git+ssh:// access method. This is not accessible without authentication and anonymous https:// schema must be used instead. You may hit this feature if you are reading this: npm/cli#2610
I discovered this is specific to github due to
Perhaps this if more of a bug in https://github.com/npm/hosted-git-info |
This is happening to me on npm v9. |
Here's the workaround I've been using for a while. I wrote a small script to replace the const fs = require("fs");
const path = require("path");
// I keep this file in a scripts folder
const packagelock = path.resolve(__dirname, "../package-lock.json");
fs.readFile(packagelock, "utf8", (err, data) => {
if (err) {
return console.log(err);
}
const result = data.replace(
/\"resolved\"\:\s\"git\+ssh:\/\/git\@github\.com\/my\/repo\.git/g,
'"resolved": "git+https://[USERNAME]:[TOKEN]@github.com/my/repo.git'
);
fs.writeFile(packagelock, result, "utf8", (err) => {
if (err) {
return console.log(err);
} else {
return console.log("Package lock was fixed");
}
});
}); I run this in the dockerfile before running
|
What about people running CI behind HTTP proxies ? Their only way to the internet is via the proxy and there is no way they would be able to use SSH. You cannot force SSH just because the Git host supports SSH, it might not work for everyone. It has been more than 3 years since this issue was created and it is a shame that people are still forced to use workarounds. |
Dear NPM developers, are you okay? If I use "npm i https://github.com/...", obviously I want to use the https+git protocol. Not ssh. Really sad situation. |
Yet another workaround
|
Are there NPM developers any more? I presume so, it seems like there are still npm updates, but... I dunno, the folks assigned to this aren't actually at Github now afaik, and even then, I'm still somehow getting notifications about this, and I haven't worked on NPM since they decided to fire some of my staff for trying to unionize. =p |
@iarna, that doesn't looks good, thanks for sharing. |
change resolution of tauri-plugin-log-api from ssh to tarball so GH Action will not fail when calling `pnpm i` (see npm/cli#2610)
Current Behavior:
When I use a git repository via an HTTP link NPM "takes liberties" with it, which breaks my build:
It produces
package-lock.json
:Note that
https://github.com/uhop/stream-chain.git
was replaced withgithub:uhop/stream-chain
, which is probably OK in this case. But other two links (?) are rewritten fromhttps://github.com/uhop/stream-chain.git
togit+ssh://git@github.com/uhop/stream-chain.git
, which is clearly bad.The problem is that a build bot we use in similar situations can access private git repositories using HTTP, but not SSH for security reasons. It fails on an authentication. Rewriting
https://github.com/uhop/stream-chain.git
togit+ssh://git@github.com/uhop/stream-chain.git
is not acceptable for that reasons.The fix is relatively minor yet unpleasant: we have to replace
npm ci
withnpm i
, which takes more time and introduced instabilities with other dependencies.Expected Behavior:
When running
npm ci
it should use the original URL with the HTTP authentication instead of SSH.Steps To Reproduce:
See the description and do the same steps using git repositories (github only?) as dependencies.
Environment:
OS: Mac
Node: 15.7.0
NPM: 7.4.3
The text was updated successfully, but these errors were encountered: