Lerna publish does not use publishConfig registry when verifying credentials
See original GitHub issueWhen running npm publish
with intent to publish to a private registry, lerna appears to check for credentials at the main configured registry rather than the destination specified in the publishConfig.registry variable in package.json. If --no-verify-access
is used, the verification is skipped and publish works.
This issue is intended to ask about the desired behavior in this case.
Expected Behavior
npm publish
supports publishing to a private registry without always modifying .npmrc. If a registry is specified in package.json. For example:
"publishConfig":{
"access": "restricted",
"registry":"https://sample.jfrog.io/sample/api/npm/npm-sample/"
},
If the user runs npm login --registry=https://sample.jfrog.io/sample/api/npm/npm-sample/ --scope=@sample
prior publishing, npm publish
will properly push to https://sample.jfrog.io/sample/api/npm/npm-sample/
This workflow can be performed as a convenience for not having to modify the .npmrc in some automation formats.
Current Behavior
As referenced in other issues, like https://github.com/lerna/lerna/issues/1685, this works similarly with lerna, but only if --no-verify-access
is supplied as an option. Even if all packages use the private repository, we will receive the following error:
lerna info Verifying npm credentials
lerna http fetch GET 401 https://registry.npmjs.org/-/npm/v1/user 384ms
Unable to authenticate, need: Basic, Bearer
lerna ERR! EWHOAMI Authentication error. Use `npm whoami` to troubleshoot.
Possible Solution
If the current behavior is not the expected behavior, and if it is not desirable to skip verification in each case where a push of this type is needed: Should default npm registry access be skipped by default if all packages specify a private registry? Or should the private registry be resolved and proactively checked for access instead, if the default registry is unused?
Steps to Reproduce (for bugs)
- configure all packages with a private repository that is different from the default
npm config get registry
- npm login to the private registry (for example:
npm login --registry=https://sample.jfrog.io/sample/api/npm/npm-sample/ --scope=@sample
) - run
lerna publish --skip-git
- observe error message
- manually revert local updates to recover from failed publish
- run
lerna publish --skip-git --no-verify-access
, observe success.
lerna.json
{
"packages": [
"demos/*",
"packages/*"
],
"version": "0.1.0"
}
Context
Your Environment
Executable | Version |
---|---|
lerna --version |
3.13.1 |
npm --version |
6.4.1 |
yarn --version |
n/a |
node --version |
v10.15.3 |
OS | Version |
---|---|
NAME | VERSION |
Windows 10 | 1903 |
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (2 by maintainers)
Top GitHub Comments
@krumware - for reference and future readers, change the lerna.json to this,
is not mentioned in the docs
This is one reason (among many) I dislike JFrog’s registry “solution”. Splitting the publish and install endpoints is an annoying pattern. Anyway.
One way to avoid this is configuring
command.publish.registry
in lerna.json. The per-packagepublishConfig.registry
would still overrule, in case you had multiple values, but at least you could validate one of the logins.