Yarn not authenticating when “npm:” alias version points to authenticated package

Bug description

Yarn is not using authentication when an aliased dependency points to a package that requires authentication.

I’m using an aliased package in my package.json, like this:

$ cat package.json 
{
  "dependencies": {
    "tinymce": "yarn:@rtc/tinymce"
  }
}

@rtc/tinymce is a package that requires authentication. However, yarn does not appear to be sending any authentication.

It works fine if I use a normal dependency like this:

$ cat package.json 
{
  "dependencies": {
    "@rtc/tinymce": "latest"
  }
}

In both scenarios, I have a .yarnrc file:

"@rtc:registry" "https://my-npm-host/tiny/rtc/"

and I have the relevant auth token in ~/.npmrc.

Command

With the above package.json, I run:

yarn install
rm -rf node_modules
yarn cache clean --pattern '@rtc/*'
yarn install --frozen-lockfile

What is the current behavior?
Yarn is not sending authentication when I run yarn install --frozen-lockfile. This is causing a 401 error.

$ yarn install
yarn install v1.22.4
warning package.json: No license field
warning No license field
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
error An unexpected error occurred: "https://my-npm-host/tiny/rtc/@rtc/tinymce/-/5.3.0-rtc-build.1/tinymce-5.3.0-rtc-build.1.tgz: Request failed \"401 Unauthorized\"".
info If you think this is a bug, please open a bug report with the information provided in "/Users/dylan/tmp/testcase/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

What is the expected behavior?
The authentication is sent through correctly.

Steps to Reproduce
Unfortunately, I’m unable to provide a public replication case – by nature, this requires an authenticated service. I’ve been testing with CloudSmith as an example.

  1. Use a package.json .yarnrc and ~/.npmrc as described above.
  2. Run the command above

Environment

  • Node Version: 13.12.0
  • Yarn v1 Version: 1.22.4
  • OS and version: macOS 10.15.4

Also tested on:

  • Node Version: 10.20.1
  • Yarn v1 Version: 1.22.4
  • OS and version: Centos 7

Author: Fantashit

1 thought on “Yarn not authenticating when “npm:” alias version points to authenticated package

  1. We found the following workaround:

    {
      "dependencies": {
        "@rtc/tinymce": "^1.2.3",
        "tinymce": "yarn:@rtc/tinymce"
      }
    }
    

    With this, yarn seems to download "@rtc/tinymce": "^1.2.3", first, then cache it, then when it tries to load "tinymce": "yarn:@rtc/tinymce", it loads it from the cache.

Comments are closed.