Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Lerna publish does not use publishConfig registry when verifying credentials
See original GitHub issueWhen running npm publish with intent to publish to a private registry, lerna appears to check for credentials at the main configured registry rather than the destination specified in the publishConfig.registry variable in package.json. If --no-verify-access is used, the verification is skipped and publish works.
This issue is intended to ask about the desired behavior in this case.
Expected Behavior
npm publish supports publishing to a private registry without always modifying .npmrc. If a registry is specified in package.json. For example:
"publishConfig":{
"access": "restricted",
"registry":"https://sample.jfrog.io/sample/api/npm/npm-sample/"
},
If the user runs npm login --registry=https://sample.jfrog.io/sample/api/npm/npm-sample/ --scope=@sample prior publishing, npm publish will properly push to https://sample.jfrog.io/sample/api/npm/npm-sample/ This workflow can be performed as a convenience for not having to modify the .npmrc in some automation formats.
Current Behavior
As referenced in other issues, like https://github.com/lerna/lerna/issues/1685, this works similarly with lerna, but only if --no-verify-access is supplied as an option. Even if all packages use the private repository, we will receive the following error:
lerna info Verifying npm credentials
lerna http fetch GET 401 https://registry.npmjs.org/-/npm/v1/user 384ms
Unable to authenticate, need: Basic, Bearer
lerna ERR! EWHOAMI Authentication error. Use `npm whoami` to troubleshoot.
Possible Solution
If the current behavior is not the expected behavior, and if it is not desirable to skip verification in each case where a push of this type is needed: Should default npm registry access be skipped by default if all packages specify a private registry? Or should the private registry be resolved and proactively checked for access instead, if the default registry is unused?
Steps to Reproduce (for bugs)
- configure all packages with a private repository that is different from the default
npm config get registry - npm login to the private registry (for example:
npm login --registry=https://sample.jfrog.io/sample/api/npm/npm-sample/ --scope=@sample) - run
lerna publish --skip-git - observe error message
- manually revert local updates to recover from failed publish
- run
lerna publish --skip-git --no-verify-access, observe success.
lerna.json
{
"packages": [
"demos/*",
"packages/*"
],
"version": "0.1.0"
}
Context
Your Environment
| Executable | Version |
|---|---|
lerna --version |
3.13.1 |
npm --version |
6.4.1 |
yarn --version |
n/a |
node --version |
v10.15.3 |
| OS | Version |
|---|---|
| NAME | VERSION |
| Windows 10 | 1903 |
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@krumware - for reference and future readers, change the lerna.json to this,
is not mentioned in the docs
This is one reason (among many) I dislike JFrog’s registry “solution”. Splitting the publish and install endpoints is an annoying pattern. Anyway.
One way to avoid this is configuring
command.publish.registryin lerna.json. The per-packagepublishConfig.registrywould still overrule, in case you had multiple values, but at least you could validate one of the logins.