v17 request error when checking packages in a private registry

[a-kriya]

• I have searched for similar issues

---

Steps to Reproduce

Scoped package in a private registry (authenticated) defined in dependencies. Successful check with v16, failure with v17.

Steps:

1. npm i -g npm-check-updates@17.0.0
2. ncu
3. 400 Bad Request
4. npm i -g npm-check-updates@16.14.0
5. ncu
6. Success

Current Behavior

~/Git/Acme/my-project $  ncu -t minor                                                           
Checking /Users/jdoe/Git/Acme/my-project/package.json
[=================---] 28/33 84%vL: 400 Bad Request - GET https://acme-000000.d.codeartifact.us-east-2.amazonaws.com/npm/internal/@acme/typings - Bad request. The package name '@acme' is invalid.
    at /opt/homebrew/lib/node_modules/npm-check-updates/build/index.js:347:925
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  headers: [Object: null prototype] {
    date: [ 'Wed, 31 Jul 2024 18:47:54 GMT' ],
    'content-type': [ 'application/json' ],
    'content-length': [ '96' ],
    connection: [ 'keep-alive' ],
    'x-amzn-trace-id': [ 'Root=1-66aa86da-11c2b84035667a0049a1fe64;' ],
    'content-encoding': [ 'gzip' ],
    'x-amzn-requestid': [ '3739a245-706d-4f72-89b2-a8ddee1bce06' ],
    'x-fetch-attempts': [ '1' ]
  },
  statusCode: 400,
  code: 'E400',
  method: 'GET',
  uri: 'https://acme-000000.d.codeartifact.us-east-2.amazonaws.com/npm/internal/@acme/typings',
  body: {
    success: false,
    error: "Bad request. The package name '@acme' is invalid."
  },
  pkgid: '@acme/typings'
}
[===================-] 32/33 96%%                                                                                                             


~/Git/Acme/my-project $  npm i -g npm-check-updates@16.14.0                                

added 335 packages, and changed 1 package in 28s


~/Git/Acme/my-project $  ncu -t minor                                                     
Checking /Users/jdoe/Git/Acme/my-project/package.json
[====================] 33/33 100%

 @acme/typings           ^10.3.0  →   ^10.4.0
 cypress                ^13.13.1  →  ^13.13.2
 eslint-plugin-cypress    ^3.3.0  →    ^3.4.0
 husky                    ^9.1.1  →    ^9.1.4
 typescript-eslint       ^7.17.0  →   ^7.18.0

Run ncu -t minor -u to upgrade package.json

Expected Behavior

Succesful check as in v16.

[raineorshine]

Thanks for reporting. Can you tell me the last v17 prerelease that works for you? i.e. v17.0.0-1..v17.0.0-7

There must be some npm auth config that is not being set properly. It likely occurred in the conversion from pacote to npm-registry-fetch.

[a-kriya]

17.0.0-3

 ~/Git/Acme/my-project $ npm i -g npm-check-updates@17.0.0-3

added 101 packages, and changed 1 package in 9s

14 packages are looking for funding
  run `npm fund` for details

 ~/Git/Acme/my-project $ ncu
Checking /Users/jdoe/Git/Acme/my-project/package.json
[====================] 46/46 100%

 typescript-eslint     ^7.18.0  →    ^8.0.0

Run ncu -u to upgrade package.json

 ~/Git/Acme/my-project $ npm i -g npm-check-updates@17.0.0-4

removed 101 packages, and changed 1 package in 4s

~/Git/Acme/my-project $  ncu

The last command results in the same error as above.

[raineorshine]

That is definitely caused by switching from https://github.com/npm/pacote to https://github.com/npm/npm-registry-fetch (#1329). I will need to set up a scoped package in a private registry and try to get the auth config similar to reproduce.

If someone can reproduce this and wants to take a stab at it that would be a big help.

[swantzter]

Hi, I believe the core issue here was the fact that package names weren't properly URL encoded, the authentication may have actually been successful given that the registry responded with a 400 rather than a 403 and an error that the package name was just the scope. But just to be sure I fixed both the URL formatting issue and the URL encoding of the package names in PR #1438 which works fine in my local testing

[raineorshine]

Published in v17.0.1

[LeahPike]

I'm still getting this issue in 17.1.1, downgrading to version 16.14.20 works.

PS C:\GitHub\test> ncu -v                                 
17.1.1
PS C:\GitHub\test> ncu                                    
Checking C:\GitHub\test\package.json
[====================] 52/53 98%KL: 403 Forbidden - GET https://npm.mobiscroll.com/%40mobiscroll%2Fangular-ivy - unregistered users are not allowed to access package @mobiscroll/angular-ivy
    at C:\Users\MyName\AppData\Roaming\npm\node_modules\npm-check-updates\build\index.js:347:925
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  headers: [Object: null prototype] {
    server: [ 'nginx' ],
    date: [ 'Tue, 17 Sep 2024 12:26:39 GMT' ],
    'content-type': [ 'application/json; charset=utf-8' ],
    'content-length': [ '94' ],
    connection: [ 'keep-alive' ],
    'x-powered-by': [ 'verdaccio/3.11.6' ],
    'access-control-allow-origin': [ '*' ],
    etag: [ 'W/"5e-g3e598w6sl/x6kTX5cTcIFGbrcA"' ],
    vary: [ 'Accept-Encoding' ],
    'x-status-cat': [ 'http://flic.kr/p/aV6jFK' ],
    'x-fetch-attempts': [ '1' ]
  },
  statusCode: 403,
  code: 'E403',
  method: 'GET',
  uri: 'https://npm.mobiscroll.com/%40mobiscroll%2Fangular-ivy',
  body: {
    error: 'unregistered users are not allowed to access package @mobiscroll/angular-ivy'
  },
  pkgid: '@mobiscroll/angular-ivy'
}
PS C:\GitHub\test> 

[swantzter]

@LeahPike that does actually look like something different, it seems the request is sent to the correct repo and the registry correctly identifies the package according to the response