[BUG] npm 7.18.1 ignores publishConfig.registry

[alkisg]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

This is similar to issue #1937, which is supposed to be resolved, but I still have it.
npm publish fails to pick up publishConfig.registry from my package.json, yet it works fine if I provide it in the command line with npm publish --registry=https://gitlab.com/api/v4/projects/26587846/packages/npm/

I slimmed down my package.json to this, and I'm also providing the full logs on the failure / success cases.

Expected Behavior

No response

Steps To Reproduce

1. package.json:

{
  "name": "@ts.sch.gr/sch-webapps-test",
  "publishConfig": {
    "access": "public",
    "@ts.sch.gr:registry": "https://gitlab.com/api/v4/projects/26587846/packages/npm/"
  },
  "version": "1.0.0"
}

2. Failed attempt:

alkisg@alkis:/home/Public/Development/git/ts.sch.gr/sch-webapps$ npm publish --loglevel=silly
npm verb cli [
npm verb cli   '/usr/local/bin/node',
npm verb cli   '/usr/local/bin/npm',
npm verb cli   'publish',
npm verb cli   '--loglevel=silly'
npm verb cli ]
npm info using npm@7.18.1
npm info using node@v16.4.0
npm timing npm:load:whichnode Completed in 0ms
npm timing config:load:defaults Completed in 1ms
npm timing config:load:file:/usr/local/lib/node_modules/npm/npmrc Completed in 0ms
npm timing config:load:builtin Completed in 0ms
npm timing config:load:cli Completed in 2ms
npm timing config:load:env Completed in 0ms
npm timing config:load:file:/home/Public/Development/git/ts.sch.gr/sch-webapps/.npmrc Completed in 0ms
npm timing config:load:project Completed in 1ms
npm timing config:load:file:/home/alkisg/.npmrc Completed in 2ms
npm timing config:load:user Completed in 2ms
npm timing config:load:file:/usr/local/etc/npmrc Completed in 0ms
npm timing config:load:global Completed in 0ms
npm timing config:load:validate Completed in 0ms
npm timing config:load:credentials Completed in 1ms
npm timing config:load:setEnvs Completed in 1ms
npm timing config:load Completed in 8ms
npm timing npm:load:configload Completed in 9ms
npm timing npm:load:setTitle Completed in 0ms
npm timing npm:load:setupLog Completed in 1ms
npm timing npm:load:cleanupLog Completed in 2ms
npm timing npm:load:configScope Completed in 0ms
npm timing npm:load:projectScope Completed in 0ms
npm timing npm:load Completed in 16ms
npm timing config:load:flatten Completed in 2ms
npm verb publish [ '.' ]
npm notice 
npm notice 📦  @ts.sch.gr/sch-webapps-test@1.0.0
npm notice === Tarball Contents === 
npm notice 4.9kB README.md   
npm notice 2.6kB index.js    
npm notice 203B  package.json
npm notice === Tarball Details === 
npm notice name:          @ts.sch.gr/sch-webapps-test             
npm notice version:       1.0.0                                   
npm notice filename:      @ts.sch.gr/sch-webapps-test-1.0.0.tgz   
npm notice package size:  3.2 kB                                  
npm notice unpacked size: 7.7 kB                                  
npm notice shasum:        66b2fa154e2dcd57ee1b07958a6d6c211ee302df
npm notice integrity:     sha512-gQm5iFvLu2YCT[...]vntzujy5smilA==
npm notice total files:   3                                       
npm notice 
npm timing command:publish Completed in 64ms
npm verb stack Error: This command requires you to be logged in.
npm verb stack     at Publish.publish (/usr/local/lib/node_modules/npm/lib/publish.js:115:29)
npm verb cwd /home/Public/Development/git/ts.sch.gr/sch-webapps
npm verb Linux 5.4.0-80-generic
npm verb argv "/usr/local/bin/node" "/usr/local/bin/npm" "publish" "--loglevel=silly"
npm verb node v16.4.0
npm verb npm  v7.18.1
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`
npm verb exit 1
npm timing npm Completed in 311ms
npm verb code 1

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/alkisg/.npm/_logs/2021-07-23T08_57_46_549Z-debug.log

3. Successful attempt:

alkisg@alkis:/home/Public/Development/git/ts.sch.gr/sch-webapps$ npm publish --registry=https://gitlab.com/api/v4/projects/26587846/packages/npm/ --loglevel=silly
npm verb cli [
npm verb cli   '/usr/local/bin/node',
npm verb cli   '/usr/local/bin/npm',
npm verb cli   'publish',
npm verb cli   '--registry=https://gitlab.com/api/v4/projects/26587846/packages/npm/',
npm verb cli   '--loglevel=silly'
npm verb cli ]
npm info using npm@7.18.1
npm info using node@v16.4.0
npm timing npm:load:whichnode Completed in 1ms
npm timing config:load:defaults Completed in 1ms
npm timing config:load:file:/usr/local/lib/node_modules/npm/npmrc Completed in 0ms
npm timing config:load:builtin Completed in 0ms
npm timing config:load:cli Completed in 2ms
npm timing config:load:env Completed in 1ms
npm timing config:load:file:/home/Public/Development/git/ts.sch.gr/sch-webapps/.npmrc Completed in 0ms
npm timing config:load:project Completed in 0ms
npm timing config:load:file:/home/alkisg/.npmrc Completed in 2ms
npm timing config:load:user Completed in 2ms
npm timing config:load:file:/usr/local/etc/npmrc Completed in 0ms
npm timing config:load:global Completed in 0ms
npm timing config:load:validate Completed in 0ms
npm timing config:load:credentials Completed in 1ms
npm timing config:load:setEnvs Completed in 1ms
npm timing config:load Completed in 9ms
npm timing npm:load:configload Completed in 9ms
npm timing npm:load:setTitle Completed in 0ms
npm timing npm:load:setupLog Completed in 1ms
npm timing npm:load:cleanupLog Completed in 2ms
npm timing npm:load:configScope Completed in 0ms
npm timing npm:load:projectScope Completed in 1ms
npm timing npm:load Completed in 17ms
npm timing config:load:flatten Completed in 2ms
npm verb publish [ '.' ]
npm notice 
npm notice 📦  @ts.sch.gr/sch-webapps-test@1.0.0
npm notice === Tarball Contents === 
npm notice 4.9kB README.md   
npm notice 2.6kB index.js    
npm notice 203B  package.json
npm notice === Tarball Details === 
npm notice name:          @ts.sch.gr/sch-webapps-test             
npm notice version:       1.0.0                                   
npm notice filename:      @ts.sch.gr/sch-webapps-test-1.0.0.tgz   
npm notice package size:  3.2 kB                                  
npm notice unpacked size: 7.7 kB                                  
npm notice shasum:        66b2fa154e2dcd57ee1b07958a6d6c211ee302df
npm notice integrity:     sha512-gQm5iFvLu2YCT[...]vntzujy5smilA==
npm notice total files:   3                                       
npm notice 
+ @ts.sch.gr/sch-webapps-test@1.0.0
npm timing command:publish Completed in 669ms
npm verb exit 0
npm timing npm Completed in 823ms
npm info ok 

Environment

• OS: Ubuntu 20.04
• Node: v16.4.0
• npm: 7.18.1

[pjroth]

I'm seeing this same issue where a publishConfig registry override is not being picked up when running npm publish. I see this error:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`

If I run with a override on the command line, as follows, the publish works as I expect:

npm --registry=https://nexus.example.com/nexus/repository/npm-internal/ publish

I also have auth configured in my ~/.npmrc since this registry is private and requires auth:

registry=https://nexus.example.com/nexus/repository/npm-all/
always-auth=true
email=me@example.com
_auth=<removed>

Note there are two registries I use. A npm-all which is a group that has my npm-internal in it and the public node registry. I need to push to npm-internal but want to use npm-all for everything else so that my private registry is used to proxy/cache requests to the public node registry for everyone at my company. My package.json is set to npm-internal same as the above override I show above in the publishConfig. But my ~/.npmrc uses npm-all so that npm install commands use that npm-all group/proxy registry.

I'm running the following:

1. npm 7.20.1
2. node v12.21.0
3. OS ubuntu

Thank you!

[djbeadle]

Confirming this issue on Windows 10, npm 7.20.1, node 14.17.3.

npm login --verbose ignores publishConfig.registry in package.json and instead uses the registry defined in .npmrc.
npm publish exhibits the same behavior, in both cases adding --registry=https://some-custom-registry is a suitable work around.

For now I am adding the following to my package.json.scripts.prepublishOnly script:

"prepublishOnly": "printf \"⚠ NOTE ⚠ There is a bug in npm 7.20 that ignores the registry specified in package.json > publishConfig.registry.\\nUntil this is resolved to deploy a new version of the component library use the following command:\\n\\nnpm publish --ignore-scripts --registry=http://custom-artifactory-repo\\n\\n\" && exit 1"

[lorenzorad]

Sharing my experience on npm 7.24.2, node 14.18.1, using .npmrc to define the custom registry. Maybe not totally related, but I was having issue on npm ci because npm was trying to get dependencies from global npm registry instead of my custom one.

I've been able to bypass the issue putting in .npmrc even legacy-peer-deps = true:

@mynamespace:registry = https://my.custom.com/registry/url
legacy-peer-deps=true

[ravermeister]

The Workaround described above doesn't work for me with node:17 from dockerhub

my Workaround (on a Linux environment) is as follows:

regurl=$(grep "registry" package.json | cut -d ":" -f2- | tr -d "\"[:space:]")
npm publish --registry=$regurl

[oliverlockwood]

This is still a problem running:

• NodeJS v16.13.0
• NPM 8.1.0

I have jq available on my CI slaves and so am using the one-line workaround as follows:
npm publish --registry=$(jq -r '.publishConfig.registry' package.json)

So far as I know, the publishConfig.registry configuration in package.json is not in any way deprecated. So why does NPM continue to not respect this configuration, following a regression that's now almost 5 months old?

[jonathanmedd]

I have the same issue with npm 8.1.2 and Nexus

[hexxone]

Bump.

This is still an annoying issue.
No matter what I do for npm set or npm config set or -g,
it seems NPM never tries to use a custom registry defined from a local .npmrc on Windows (using the @MyComp annotation).

Error:

npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/@mycomp%2fsomething - Not found
npm ERR! 404
npm ERR! 404  '@mycomp/something@*' is not in this registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404

publishing to the registry using dind CI on Gitlab worked without much problems before...
https://docs.gitlab.com/ee/user/packages/npm_registry/index.html#authenticate-with-a-ci-job-token

Please do something about this?

[nlf]

are you folks still able to reproduce this? we've made some changes to how publishConfig is handled a few times since the last reported versions in use in this thread. if this is still happening, though, i'll look into it.

[ravermeister]

for me it is still broken using node:17 or node:latest from dockerhub. below is the gitlab pipeline job I'm using:

publishApiToNpmSnapshot:
  image: node:17
  stage: npm
  only:
    - develop
    - /^feature\/.*$/
  script:
    - cd api
    - echo -n "_auth=" > .npmrc && echo -n "$NPM_REPO_USERNAME:$NPM_REPO_PASSWORD" | openssl base64 >> .npmrc
    # note, nodejs 17 has a bug that the registry is not obtained from the package.json file
    # see here: https://github.com/npm/cli/issues/3573
    # - npm publish
    - regurl=$(grep "registry" package.json | cut -d ":" -f2- | tr -d "\"[:space:]")
    - npm publish --registry=$regurlistry=$regurl 

[nlf]

can you try updating your npm in one of those containers to see if that resolves the issue? the latest version shipped bundled with node is a few versions behind our latest release

[ravermeister]

sure, what should i run npm update before doing npm publish ?

[nlf]

npm i -g npm, you may need sudo if your container doesn't run as root

[ravermeister]

still same error...

$ cd api
$ echo -n "_auth=" > .npmrc && echo -n "$NPM_REPO_USERNAME:$NPM_REPO_PASSWORD" | openssl base64 >> .npmrc
$ npm i -g npm
changed 30 packages, and audited 201 packages in 4s
10 packages are looking for funding
  run `npm fund` for details
found 0 vulnerabilities
$ npm publish
npm notice 
...                                        
npm notice 
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to <registry_url> npm ERR! need auth You need to authorize this machine using `npm adduser`
npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2022-04-11T16_49_21_101Z-debug-0.log
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: command terminated with exit code 1nd terminated with exit code 1

[wraithgar]

The bare _auth config only works on the npm registry itself. This is for security purposes, so that a single auth token isn't sent to multiple registries. If you have a basic auth token that you need to send to another registry you will have to scope it to the registry with a config like

//other-registry.com/:_auth=whatever

The docs for _auth are going to be updated to clarify this: #4782

[reda-alaoui]

We still have the issue on NodeJS 20.

Isn't that caused by c929ed1?
Looks like we expect filteredPublishConfig to have a side effect on manifest.publishConfig, but it doesn't.

[reda-alaoui]

Ok my mistake.

In fact, in our case, the bug is triggered by the presence of scoped registries in .npmrc:

registry=https://nexus.acme.dev/repository/npm/
@acme:registry=https://nexus.acme.dev/repository/npm/
@acme-lab:registry=https://nexus.acme.dev/repository/npm-acme-lab/
save-exact=true
always-auth=false

package.json:

{
	"name": "@acme/foo-sdk",
	"publishConfig": {
		"registry": "https://nexus.acme.dev/repository/npm-releases/"
	}
}

With this, npm publish uses https://nexus.acme.dev/repository/npm/ instead of https://nexus.acme.dev/repository/npm-releases/.

[reda-alaoui]

This fixes the issue for us:

Subject: [PATCH] ff
---
diff --git a/package.json b/package.json
 	"publishConfig": {
-		"registry": "https://nexus.acme.dev/repository/npm-releases/"
+		"@acme:registry": "https://nexus.acme.dev/repository/npm-releases/"
 	},