Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Lerna doesn't work with NPM automation tokens

See original GitHub issue

When I properly set up npm credentials inside of GitHub Actions, and use an npm automation token (which normally supports write actions), lerna fails when verifying npm auth, even though npm is properly authenticated for publishing:

$ lerna publish patch
....
lerna info Verifying npm credentials
lerna http fetch GET 403 https://registry.npmjs.org/-/npm/v1/user 241ms
403 Forbidden - GET https://registry.npmjs.org/-/npm/v1/user
lerna ERR! EWHOAMI Authentication error. Use `npm whoami` to troubleshoot.

When I switch to a read-write npm token (with OTP turned off), lerna works fine.

It appears lerna does not support npm automation tokens. It would be nice if it did, that way people won’t be inclined to turn off OTP on their human tokens.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:53
  • Comments:15 (1 by maintainers)

github_iconTop GitHub Comments

25reactions
dyladancommented, Feb 5, 2021

Using https://github.com/lerna/lerna/tree/main/commands/publish#--no-verify-access may fix this. Automation tokens don’t have permission to access the endpoint lerna uses to verify permission.

As a longer-term fix, this should be documented or the /-/whoami endpoint should be used which can be accessed by automation tokens.

13reactions
FRSgitcommented, Feb 20, 2021

This issue thread was a real life saver - I’ve just struggled with publishing the @frsource/tiny-carousel packages for two days before finding this gold. To make life easier for the future travellers, I’ve patched a PR adding the necessary info about handling of npm automation tokens - #2825. Hope it will save some time for the others 😄

Feel free to comment/post suggestions in the PR, or just react with 👍 if agree that it should be merged.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Developers - Lerna doesn't work with NPM automation tokens -
When I properly set up npm credentials inside of GitHub Actions, and use an npm automation token (which normally supports write actions), lerna...
Read more >
@lerna/publish - npm
Historically, lerna attempted to fast-fail on authorization/authentication issues by performing some preemptive npm API requests using the given token.
Read more >
npm automation tokens | GitHub Changelog
Using an automation token will not prompt for a one-time passcode, meaning that you can use it as a secret in your publish...
Read more >
No BS monorepo - Part 2 - DEV Community ‍ ‍
This time it's because Lerna has trouble verifying the user when dealing with NPM automation tokens. This issue is well described here.
Read more >
Looking forward the CI/CD part, so far I have not been able to make ...
Looking forward the CI/CD part, so far I have not been able to make NPM Automation Tokens work with lerna & yarn in...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Should `lerna publish --canary` detect unpublished packages?

Next page

lerna: command not found on ubuntu 20.04 LTS