The unauthenticated git protocol on port 9418 is no longer supported

Question

I have been using github actions for quite sometime but today my deployments started failing. Below is the error from github action logs

Command: git
Arguments: ls-remote --tags --heads git://github.com/adobe-webplatform/eve.git
Directory: /home/runner/work/stackstream-fe/stackstream-fe
Output:
fatal: remote error: 
  The unauthenticated git protocol on port 9418 is no longer supported.

Upon investigation, it appears that below section in my yml file is causing the issue.

    - name: Installing modules
      run: yarn install

I have looked into this change log but can't seem to comprehend the issue.

Additional Details: Server: EC2 Instance Github actions steps:

  steps:
  - name: Checkout
    uses: actions/checkout@v2

  - id: vars
    run: |
      if [ '${{ github.ref }}' == 'refs/heads/master' ]; then echo "::set-output name=environment::prod_stackstream" ; echo "::set-output name=api-url::api" ; elif [ '${{ github.ref }}' == 'refs/heads/staging' ]; then echo "::set-output name=environment::staging_stackstream"  ; echo "::set-output name=api-url::stagingapi" ; else echo "::set-output name=environment::dev_stackstream" ; echo "::set-output name=api-url::devapi" ; fi

  - uses: pCYSl5EDgo/cat@master
    id: slack
    with:
      path: .github/workflows/slack.txt

  - name: Slack Start Notification
    uses: 8398a7/action-slack@v3
    env:
      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
      ENVIRONMENT: '`${{ steps.vars.outputs.environment }}`'
      COLOR: good
      STATUS: '`Started`'
    with:
      status: custom
      fields: workflow,job,commit,repo,ref,author,took
      custom_payload: |
        ${{ steps.slack.outputs.text }}

  - name: Installing modules
    env:
      REACT_APP_API_URL: 'https://${{ steps.vars.outputs.api-url }}mergestack.com/api/v1'
    run: yarn install

  - name: Create Frontend Build
    env:
      REACT_APP_API_URL: 'https://${{ steps.vars.outputs.api-url }}mergestack.com/api/v1'
    run: yarn build

  - name: Deploy to Frontend Server DEV
    if: ${{ contains(github.ref, 'dev') }}
    uses: easingthemes/ssh-deploy@v2.1.5
    env:
      SSH_PRIVATE_KEY: ${{ secrets.DEV_KEY }}
      ARGS: '-rltgoDzvO --delete'
      SOURCE: 'deploy/'
      REMOTE_HOST: ${{ secrets.DEV_HOST }}
      REMOTE_USER: plyfolio-dev
      TARGET: '/home/plyfolio-dev/${{ steps.vars.outputs.environment }}/fe/deploy'

package.json file

   {
  "name": "stackstream-fe",
  "version": "1.0.0",
  "authors": [
    "fayyaznofal@gmail.com"
  ],
  "private": true,
  "dependencies": {
    "@fortawesome/fontawesome-svg-core": "^1.2.34",
    "@fortawesome/free-solid-svg-icons": "^5.15.2",
    "@fortawesome/react-fontawesome": "^0.1.14",
    "@fullcalendar/bootstrap": "^5.5.0",
    "@fullcalendar/core": "^5.5.0",
    "@fullcalendar/daygrid": "^5.5.0",
    "@fullcalendar/interaction": "^5.5.0",
    "@fullcalendar/react": "^5.5.0",
    "@lourenci/react-kanban": "^2.1.0",
    "@redux-saga/simple-saga-monitor": "^1.1.2",
    "@testing-library/jest-dom": "^5.11.9",
    "@testing-library/react": "^11.2.3",
    "@testing-library/user-event": "^12.6.0",
    "@toast-ui/react-chart": "^1.0.2",
    "@types/jest": "^26.0.14",
    "@types/node": "^14.10.3",
    "@types/react": "^16.9.49",
    "@types/react-dom": "^16.9.8",
    "@vtaits/react-color-picker": "^0.1.1",
    "apexcharts": "^3.23.1",
    "availity-reactstrap-validation": "^2.7.0",
    "axios": "^0.21.1",
    "axios-mock-adapter": "^1.19.0",
    "axios-progress-bar": "^1.2.0",
    "bootstrap": "^5.0.0-beta2",
    "chart.js": "^2.9.4",
    "chartist": "^0.11.4",
    "classnames": "^2.2.6",
    "components": "^0.1.0",
    "dotenv": "^8.2.0",
    "draft-js": "^0.11.7",
    "echarts": "^4.9.0",
    "echarts-for-react": "^2.0.16",
    "firebase": "^8.2.3",
    "google-maps-react": "^2.0.6",
    "history": "^4.10.1",
    "i": "^0.3.6",
    "i18next": "^19.8.4",
    "i18next-browser-languagedetector": "^6.0.1",
    "jsonwebtoken": "^8.5.1",
    "leaflet": "^1.7.1",
    "lodash": "^4.17.21",
    "lodash.clonedeep": "^4.5.0",
    "lodash.get": "^4.4.2",
    "metismenujs": "^1.2.1",
    "mkdirp": "^1.0.4",
    "moment": "2.29.1",
    "moment-timezone": "^0.5.32",
    "nouislider-react": "^3.3.9",
    "npm": "^7.6.3",
    "prop-types": "^15.7.2",
    "query-string": "^6.14.0",
    "react": "^16.13.1",
    "react-apexcharts": "^1.3.7",
    "react-auth-code-input": "^1.0.0",
    "react-avatar": "^3.10.0",
    "react-bootstrap": "^1.5.0",
    "react-bootstrap-editable": "^0.8.2",
    "react-bootstrap-sweetalert": "^5.2.0",
    "react-bootstrap-table-next": "^4.0.3",
    "react-bootstrap-table2-editor": "^1.4.0",
    "react-bootstrap-table2-paginator": "^2.1.2",
    "react-bootstrap-table2-toolkit": "^2.1.3",
    "react-chartist": "^0.14.3",
    "react-chartjs-2": "^2.11.1",
    "react-color": "^2.19.3",
    "react-confirm-alert": "^2.7.0",
    "react-content-loader": "^6.0.1",
    "react-countdown": "^2.3.1",
    "react-countup": "^4.3.3",
    "react-cropper": "^2.1.4",
    "react-data-table-component": "^6.11.8",
    "react-date-picker": "^8.0.6",
    "react-datepicker": "^3.4.1",
    "react-dom": "^16.13.1",
    "react-draft-wysiwyg": "^1.14.5",
    "react-drag-listview": "^0.1.8",
    "react-drawer": "^1.3.4",
    "react-dropzone": "^11.2.4",
    "react-dual-listbox": "^2.0.0",
    "react-facebook-login": "^4.1.1",
    "react-flatpickr": "^3.10.6",
    "react-google-login": "^5.2.2",
    "react-hook-form": "^7.15.2",
    "react-i18next": "^11.8.5",
    "react-icons": "^4.2.0",
    "react-image-lightbox": "^5.1.1",
    "react-input-mask": "^2.0.4",
    "react-jvectormap": "^0.0.16",
    "react-leaflet": "^3.0.5",
    "react-meta-tags": "^1.0.1",
    "react-modal-video": "^1.2.6",
    "react-notifications": "^1.7.2",
    "react-number-format": "^4.7.3",
    "react-perfect-scrollbar": "^1.5.8",
    "react-rangeslider": "^2.2.0",
    "react-rating": "^2.0.5",
    "react-rating-tooltip": "^1.1.6",
    "react-redux": "^7.2.1",
    "react-responsive-carousel": "^3.2.11",
    "react-router-dom": "^5.2.0",
    "react-script": "^2.0.5",
    "react-scripts": "3.4.3",
    "react-select": "^4.3.1",
    "react-sparklines": "^1.7.0",
    "react-star-ratings": "^2.3.0",
    "react-super-responsive-table": "^5.2.0",
    "react-switch": "^6.0.0",
    "react-table": "^7.6.3",
    "react-toastify": "^7.0.3",
    "react-toastr": "^3.0.0",
    "react-twitter-auth": "0.0.13",
    "reactstrap": "^8.8.1",
    "recharts": "^2.0.8",
    "redux": "^4.0.5",
    "redux-saga": "^1.1.3",
    "reselect": "^4.0.0",
    "sass": "^1.37.5",
    "simplebar-react": "^2.3.0",
    "styled": "^1.0.0",
    "styled-components": "^5.2.1",
    "toastr": "^2.1.4",
    "typescript": "^4.0.2",
    "universal-cookie": "^4.0.4"
  },
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^2.27.0",
    "@typescript-eslint/parser": "^2.27.0",
    "@typescript-eslint/typescript-estree": "^4.15.2",
    "eslint-config-prettier": "^6.10.1",
    "eslint-plugin-prettier": "^3.1.2",
    "husky": "^4.2.5",
    "lint-staged": "^10.1.3",
    "prettier": "^1.19.1",
    "react-test-renderer": "^16.13.1",
    "redux-devtools-extension": "^2.13.8",
    "redux-mock-store": "^1.5.4"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build && mv build ./deploy/build",
    "build-local": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": "react-app"
  },
  "husky": {
    "hooks": {
      "pre-commit": "lint-staged"
    }
  },
  "lint-staged": {
    "*.{js,ts,tsx}": [
      "eslint --fix"
    ]
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

package-lock.json

Am I wrong or is this going to be a huge issue for *many* yocto project layers.. — Logan, Jan 11 '22 at 16:42
The linked article states 'We expect very few people are still using this protocol, especially given that you can’t push (it’s read-only on GitHub).' which is weird. They should be able to see the amount of traffic on that protocol right? Meanwhile, a part of the world is burning because they didn't change the protocol in time. Luckily, the fix is relatively easy (https:// instead of git://). — Mixxiphoid, Jan 12 '22 at 08:53
@Mixxiphoid They (GitHup) might have missed al the indirect dependencies pulled by projects, and those indirect dependencies could still include some `git://` URLs. — VonC, Jan 12 '22 at 08:57
@Logan I think impact is going to be big. In my case I wasn't using any package which was directly causing issue. There was 4th tier dependency which was causing the issue. I was using ```@toast-ui/react-chart```, below was my dependency tree ```eve --> raphael --> tui-chart --> @toast-ui/react-chart``` and ```eve``` was causing issue. — monofal, Jan 12 '22 at 09:13
So, I think there are going to be many people with this sort of dependencies in their project. — monofal, Jan 12 '22 at 09:14
@Logan: There was a 4-month warning. The entire Internet has been moving away from un-authenticated, un-encrypted protocols for a decade, it's not like this is a huge surprise. Personally, I consider it less an "issue" and more "detecting unmaintained dependencies". Plus, this is still only the brownout period, so the protocol will only be disabled for a short period of time, allowing developers to discover the problem. The permanent shutdown is not until March. — Jörg W Mittag, Jan 12 '22 at 11:39
4-months to whom and where I wonder, first I've heard of it is this post! — deep64blue, Jan 12 '22 at 19:15

VonC · Answer 1 · 2022-03-16T07:01:31.167

First, this error message is indeed expected on Jan. 11th, 2022.
See "Improving Git protocol security on GitHub".

January 11, 2022 Final brownout.

This is the full brownout period where we’ll temporarily stop accepting the deprecated key and signature types, ciphers, and MACs, and the unencrypted Git protocol.
This will help clients discover any lingering use of older keys or old URLs.

Second, check your package.json dependencies for any git:// URL, as in this example, fixed in this PR.

As noted by Jörg W Mittag:

There was a 4-month warning.
The entire Internet has been moving away from unauthenticated, unencrypted protocols for a decade, it's not like this is a huge surprise.

Personally, I consider it less an "issue" and more "detecting unmaintained dependencies".

Plus, this is still only the brownout period, so the protocol will only be disabled for a short period of time, allowing developers to discover the problem.

The permanent shutdown is not until March 15th.

For GitHub Actions:

As in actions/checkout issue 14, you can add as a first step:

    - name: Fix up git URLs
      run: echo -e '[url "https://github.com/"]\n  insteadOf = "git://github.com/"' >> ~/.gitconfig

That will change any git://github.com/ into https://github.com/.

For local projects

For all your repositories, you can set:

git config --global url."https://github.com/".insteadOf git://github.com/

You can also use SSH, but GitHub Security reminds us that, as of March 15th, 2022, GitHub stopped accepting DSA keys. RSA keys uploaded after Nov 2, 2021 will work only with SHA-2 signatures.
The deprecated MACs, ciphers, and unencrypted Git protocol are permanently disabled.

So this (with the right key) would work:

git config --global url."git@github.com:".insteadOf git://github.com/

That will change any git://github.com/ (unencrypted Git protocol) into git@github.com: (SSH URL).

Thanks @VonC. I did check the package.json and package-lock.json but there is no dependency using git:// . — monofal, Jan 11 '22 at 08:33
@monofal Maybe an indirect dependencies then. If possible, you should set up an insteadOf Git setting: https://stackoverflow.com/a/11383587/6309 — VonC, Jan 11 '22 at 08:42
@monofal Example: https://github.com/actions/checkout/issues/14#issuecomment-523916396 — VonC, Jan 11 '22 at 08:43

score 76 · Answer 2 · edited May 02 '22 at 10:53

76

Try using the following command before install:

git config --global url."https://".insteadOf git://

P.S. or better ( thanks @bgraves )

git config --global url."https://github.com/".insteadOf git://github.com/

edited May 02 '22 at 10:53

Paul Verest

60,022
51
208
332

answered Jan 11 '22 at 12:10

rscherer

903
7
10

2

Works! Avoids having to wait for repos to update. – Collin Price Jan 11 '22 at 17:55
28

better use the reduced version `git config --global url."https://github.com/".insteadOf git://github.com/` – bgraves Jan 11 '22 at 18:47

score 19 · Answer 3 · edited Mar 16 '22 at 08:23

19

Try using https://github.com instead of git://github.com

edited Mar 16 '22 at 08:23

Boris Verkhovskiy

14,854
11
100
103

answered Jan 11 '22 at 13:31

jharding

199
2

1

This is the simplest and most effective method. – BuffMcBigHuge Jan 11 '22 at 19:17
2

@BuffMcBigHuge one that I already [mentioned in my answer](https://stackoverflow.com/a/70663683/6309), used in the context of a GitHub Action yaml, since the question is about GitHub Action. – VonC Jan 11 '22 at 21:03
3

This is exactly what GitHub recommends in [their blog post](https://github.blog/2021-09-01-improving-git-protocol-security-github/#git-protocol-troubleshooting). You could improve your answer by citing this semi-official resource as justification for the correctness and suitability of your proposed solution. – Cody Gray - on strike Jan 12 '22 at 05:28

score 8 · Accepted Answer · answered Jan 11 '22 at 08:54

8

@toast-ui/react-chart dependency is causing issue for you here.

If you look closely inside your package-lock.json you can backtrack eve to @toast-ui/react-chart

eve --> raphael --> tui-chart --> @toast-ui/react-chart

You can follow this same technique to find any more issues inside your project.

answered Jan 11 '22 at 08:54

ahmad faraz

138
2
7

2

Thanks @ahmad faraz. Yes, indeed this was the issue. There was some dependency in my package.json file which was in turn using some dependency which was basically causing the issue with github latest upgrade. I didn't needed that specific dependency so I just removed it and it worked like a charm. – monofal Jan 11 '22 at 09:39

score 7 · Answer 5 · answered Mar 16 '22 at 05:59

Change git://github.com/<blah> to git@github.com:<blah> (note the / → : at the end) in your repository's .git/config file.

In my repository's .git/config file I had this line

[remote "upstream"]
    url = git://github.com/curlconverter/curlconverter.git
    fetch = +refs/heads/*:refs/remotes/upstream/*

which I changed to

[remote "upstream"]
    url = git@github.com:curlconverter/curlconverter.git
    fetch = +refs/heads/*:refs/remotes/upstream/*

and stopped getting this error.

d4nyll · Answer 6 · 2022-03-17T18:35:02.797

I hope this answer would provide more context omitted in the other answers.

Git can use four protocols to transfer data:

Local (not relevant here)
(Smart) HTTP - runs over standard HTTPS ports, and can use various HTTP authentication mechanisms (e.g. username/password) if authentication is required. This protocol allows you to provide both read and write access using the same URL; if authentication is required, the server will prompt the client.
Secure Shell (SSH) - authenticated workflow where both reads and writes are authenticated. It does not support unauthenticated (i.e. anonymous) access. Users need to generate an SSH key pair (containing a private and public key) locally and upload their public key to the server.
Git protocol - unencrypted and unauthenticated. There is a Git Daemon that runs on the Git server that listens on port 9418 and services requests.

Each of the protocols uses different URLs:

Local:
- Absolute path (e.g. /srv/git/project.git)
- Absolute path prefixed with file:// protocol (e.g. file:///srv/git/project.git)
HTTP: https://example.com/gitproject.git
SSH
- ssh://[user@]server/project.git
- Shorter SCP-like syntax - [user@]server:project.git
Git protocol - Starts with git://

GitHub has dropped support for all unencrypted protocols, which only includes the Git protocol (those that uses the git:// prefix). Thus, the The unauthenticated git protocol on port 9418 is no longer supported. error confirms this.

The way to mitigate this is by searching for the string git:// within your package.json and lockfiles (e.g. yarn.lock or package-lock.json) to identify the offending package(s), and upgrade them to a version that does not use dependencies that resolves to a URL with the git:// prefix. If the offending package is not in your package.json, you may find it helpful to run a command like yarn why to understand why the package is installed.

If that's not possible, and the repository is public, a temporary solution would be to manually replace git:// with https://. But this solution is not permanent and may get overwritten the next time the lockfile is written to.

score 2 · Answer 7 · answered Mar 21 '22 at 19:33

2

When all of the other solutions don't help, try editing your global config and removing all instead of declarations.

git config --global --edit

answered Mar 21 '22 at 19:33

truefusion

485
4
9

only answer that worked for me. My config was littered with all the insteadOf commands from everybody – 55 Cancri Apr 05 '22 at 17:52

score 2 · Answer 8 · answered Mar 27 '22 at 13:23

2

Add the code into ~/.gitconfig:

[url "https://"]

    insteadOf = ssh://

[url "https://"]

    insteadOf = git://

answered Mar 27 '22 at 13:23

bnPYSse

397
4
12

score 1 · Answer 9 · answered Mar 21 '22 at 14:52

If you are getting this issue while running something like pip install git+git://github.com/SomeCompany/somerepo.git@sometag, then only the second part of git+git needs to change, i.e. it becomes pip install git+https://github.com/SomeCompany/somerepo.git@sometag

score 1 · Answer 10 · answered Mar 25 '22 at 06:11

Hello try the below options - this one worked for me

git config --global url."https://github".insteadOf git://github

Now git hubwont support unauthenticated git protocol https://github.blog/2021-09-01-improving-git-protocol-security-github/

I was getting the bellow error

Unhandled rejection Error: Command failed: /usr/bin/git submodule update -q --init --recursive
warning: templates not found /tmp/pacote-git-template-tmp/git-clone-a001527f
fatal: remote error:
  The unauthenticated git protocol on port 9418 is no longer supported.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
fatal: clone of 'git://github.com/jquery/sizzle.git' into submodule path '/root/.npm/_cacache/tmp/git-clone-19674e32/src/sizzle' failed
Failed to clone 'src/sizzle'. Retry scheduled
warning: templates not found /tmp/pacote-git-template-tmp/git-clone-a001527f

Yes, you will see the same git config line in [my answer two month ago](https://stackoverflow.com/a/70663683/6309). — VonC, Mar 25 '22 at 07:32

The unauthenticated git protocol on port 9418 is no longer supported

10 Answers10

For GitHub Actions:

For local projects

Linked

Related