25

This question is related to these. But none of the solutions worked for me.

I can install a package without issues with npm install @scope/package however I cannot do the same with yarn: yarn add @scope/package

yarn throws the following error: An unexpected error occurred: "https://npm.pkg.github.com/download/@scope/package/1.2.8/089b08cffb16074c210ec3a59b04de268ae1c7b3a0492dce110adee3ada05bdd: Request failed \"401 Unauthorized\"".

my .npmrc file looks like this: (tried with and without below .yarnrc)

registry=https://registry.npmjs.org/
//npm.pkg.github.com/:_authToken=MY_AUTHTOKEN
@scope:registry=https://npm.pkg.github.com/

I have tried adding this .yarnrc file:

registry "https://registry.npmjs.org"
"@scope:registry" "https://npm.pkg.github.com"

(without .yarnrc) I've tried this .npmrc file

registry=https://registry.yarnpkg.com/

@scope:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=MY_AUTHTOKEN
always-auth=true

Where MY_AUTHTOKEN is my Personal Access Token I've generated from Github. (it has access to everything in packages)

I have tried to:

  • remove yarn.lock
  • remove .yarnrc
  • login with npm login using my PAT as the password
  • logout of npm and removing global .npmrc and .yarnrc
  • logging in with yarn login

In case of any confusion I'm not actually trying @scope and /package but my actual scope and package name.

I do have access to the scope and package on Github.

and again my first setup works just fine with npm. But I cannot get this working with yarn, and cannot find any valid existing solution on SO.

RobC
  • 22,977
  • 20
  • 73
  • 80
MLyck
  • 4,959
  • 13
  • 43
  • 74

4 Answers4

32

The following worked for me in .npmrc

@mvce-superstars:registry=https://npm.pkg.github.com

Using yarn v2, the following worked for me in .yarnrc.yml:

npmScopes:
  "mvce-superstars":
    npmAlwaysAuth: true
    npmAuthToken: xxx-xxx # optional
    npmRegistryServer: "https://npm.pkg.github.com"

Note

The scope name is lowercase. This is supposed to be the name of the owner of the repository (ex. MVCE-Superstars) where the package was published, but the name has to be all lower-cased.

The setup

Publishing

  • I created a private copy of this hello-world repository.
  • I copied over the above .npmrc OR .yarnrc.yml file into the repoository.
  • Next I logged in using the npm login --registry=https://npm.pkg.github.com/ OR yarn npm login --scope=mvce-superstars command (skip if npmAuthToken is specified above)
  • I entered my github user name, and my token (with scopes read:package, write:package, and repo) (skip if npmAuthToken is specified above)
  • Finally, I pushed the package to my private repo using npm publish OR yarn npm publish

Output

npm notice 
npm notice   @mvce-superstars/hello-world-npm@1.1.1
npm notice === Tarball Contents === 
npm notice 16.3kB example.gif   
npm notice 89B    bin.js        
npm notice 175B   lib/index.js  
npm notice 734B   package.json  
npm notice 2.0kB  yarn-error.log
npm notice 570B   Readme.md     
npm notice 167B   init.sh       
npm notice === Tarball Details === 
npm notice name:          @mvce-superstars/hello-world-npm        
npm notice version:       1.1.1                                   
npm notice package size:  14.3 kB                                 
npm notice unpacked size: 20.0 kB                                 
npm notice shasum:        5379c8030fa9c5f57e5baef67f2a8a784ce93361
npm notice integrity:     sha512-FAI/Wuy4gHW8C[...]FINQeIlZ+HDdg==
npm notice total files:   7                                       
npm notice 
+ @mvce-superstars/hello-world-npm@1.1.1

Downloading

  • I create a new npm project using npm init (use-hello-world-npm)
  • I copy the above .npmrc to the root of the folder
  • Next I logout of npm (npm logout --registry=https://npm.pkg.github.com/) and log back in (npm login --registry=https://npm.pkg.github.com/), just to be sure
  • Finally, I run yarn and like it was supposed to, it worked!

Output

yarn install v1.22.4
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 0.55s.

yarn v2

➤ YN0000: ┌ Resolution step
➤ YN0014: │ @mvce-superstars/hello-world-npm@npm:^1.1.1: Only some patterns can be imported from legacy lockfiles (not "https://npm.pkg.github.com/download/@mvce-superstars/hello-world-npm/1.1.1/426126f89734c2c76bfac0342c1de9c95ad003b6e905a7b9f9f745892c86da7a#5379c8030fa9c5f57e5baef67f2a8a784ce93361")
➤ YN0000: └ Completed in 0.55s
➤ YN0000: ┌ Fetch step
➤ YN0013: │ @mvce-superstars/hello-world-npm@npm:1.1.1::__archiveUrl=https%3A%2F%2Fnpm.pkg.github.com%2Fdownload%2F%40mvce-superstars%2Fhello-world-npm%2F1.1.1%2F426126f89734c2c76bfac0342c1de9c95ad003b6e905a7b9f9f745892c86da7a can't be found in the cache and will be fetched from the remote server
➤ YN0000: └ Completed in 1.3s
➤ YN0000: ┌ Link step
➤ YN0031: │ One or more node_modules have been detected and will be removed. This operation may take some time.
➤ YN0000: └ Completed
➤ YN0000: Done with warnings in 1.87s

Contents of folder after yarn

.
├── node_modules
│   └── @mvce-superstars
├── package.json
└── yarn.lock

And for good measure, I remove it (yarn remove @mvce-superstars/hello-world-npm):

yarn remove v1.22.4
[1/2] Removing module @mvce-superstars/hello-world-npm...
[2/2] Regenerating lockfile and installing missing dependencies...
success Uninstalled packages.
Done in 0.06s.

and add it again (yarn add @mvce-superstars/hello-world-npm):

yarn add v1.22.4
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
info Direct dependencies
└─ @mvce-superstars/hello-world-npm@1.1.1
info All dependencies
└─ @mvce-superstars/hello-world-npm@1.1.1
Done in 1.08s.

Sources:

smac89
  • 39,374
  • 15
  • 132
  • 179
  • perhaps, although I highly doubt it. I was able to solve it with Yarn2, and using the new yarnrc.yml file pretty easily (with no other changes) suggesting that it is a Yarn problem. However, your answer is absolutely fantastic, and will likely be helpful to others, you clearly put effort into this and testing it, so you definitely deserve the accepted answer to this. But if this doesn't work for some one else as well. Try upgrading to Yarn 2 :) – MLyck May 28 '20 at 17:21
  • 1
    @MLyck Great. I have updated my answer with the results of using yarn v2. – smac89 May 28 '20 at 17:49
  • I couldn't understand this... where's the `authToken`? – geoidesic Jul 26 '22 at 16:24
  • @geoidesic you create the token in Github. See the [link](https://github.com/settings/tokens) – smac89 Jul 26 '22 at 16:35
  • @smac89 yes, I understand that. I mean that `authToken` doesn't feature in your answer, so how to specify the token value is not clear. – geoidesic Jul 26 '22 at 22:43
  • @geoidesic under _Publishing_, 4th bullet point. The line prior which uses `npm login`, will prompt you for the token – smac89 Jul 26 '22 at 22:57
  • @smac89 oh.. that's no use for build pipelines – geoidesic Jul 27 '22 at 00:04
  • @geoidesic in that case, see this question: https://stackoverflow.com/questions/23460980/how-to-set-npm-credentials-using-npm-login-without-reading-from-stdin – smac89 Jul 27 '22 at 00:11
  • It simply doesn't work. https://github.com/yarnpkg/berry/issues/4810 – Lewis Sep 02 '22 at 23:08
  • @geoidesic it is actually possible to specify the [`authToken`](https://yarnpkg.com/configuration/yarnrc#npmAuthToken), see the updated answer – smac89 Sep 03 '22 at 21:51
4

You need only to use .npmrc in the root of your project with this content:

//npm.pkg.github.com/:_authToken=GITHUB_PERSONAL_TOKEN
@OWNER:registry=https://npm.pkg.github.com

Keep in mind that GITHUB_PERSONAL_TOKEN needs read:packages scope permissions in order to read the packages from your private repo.

Alexander Dimitrov
  • 944
  • 1
  • 6
  • 17
1

I am adding an answer here because after a day of trying different variations of the solutions here and elsewhere, I found that my issue was something else.

My issue was that, while npm is not case sensitive with regards to package names, yarn is when it comes to authentication! ‍♂️

So, using the example from this solution:

registry=https://registry.yarnpkg.com/

@GITHUB_USERNAME:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=AUTH_TOKEN
always-auth=true

I needed to ensure two things:

  1. @GITHUB_USERNAME needs to match the case that you see on github and the name the package was published under. I.e., if your username is Pickle-Rick, you need to put @Pickle-Rick:registry=https://npm.pkg.github.com, not @pickle-rick or @Pickle-rick.

  2. You need to match this casing in your package.json or your yarn add command - whichever you are using. For example:

    "@Pickle-Rick/schwifty": "^1.0.0" in package.json or yarn add @Pickle-Rick/schwifty.

I found this solution by digging through yarn github issues.

elethan
  • 16,408
  • 8
  • 64
  • 87
0

This is what worked for me using Yarn V1

# .npmrc
@vesato:registry=https://gitlab.com/api/v4/projects/[xx]/packages/npm/
//gitlab.com/api/v4/projects/[xx]/packages/npm/:_authToken=${NPM_TOKEN}

And this is what worked after changing to Yarn V2

# .yarnrc.yml

nodeLinker: pnp

npmScopes:
  "vesato":
    npmAlwaysAuth: true
    npmRegistryServer: https://gitlab.com/api/v4/projects/[xx]/packages/npm/
    npmAuthToken: "${NPM_TOKEN}"

yarnPath: .yarn/releases/yarn-3.2.2.cjs

Finally use the import as below.

import {x} from "@vesato/libraryname"
Malik Bagwala
  • 2,695
  • 7
  • 23
  • 38