[BUG] `npm publish` and `npm install` fail depending on `.npmrc` syntax used

[jordanthornquest]

Current Behavior:

I am attempting to configure a project to install dependencies from NPM. I will be publishing the project to GitHub Packages as a private package. If I use this syntax in my project's .npmrc:

@my-org:registry=https://npm.pkg.github.com/

I can install dependencies from NPM using npm install on my local machine. However, I cannot publish to GitHub Packages using npm publish. NPM informs me that I'm not authenticated. If I use this syntax in my project's .npmrc:

registry=https://npm.pkg.github.com/my-org/

I can publish using npm publish, but I cannot install dependencies with npm install. NPM informs me that it's trying to install dependencies from GitHub Packages, rather than NPM.

Expected Behavior:

Based on my reading, both syntaxes should be compatible with npm install and npm publish. However, it appears I can only use one or the other, based on my intended use.

Steps To Reproduce:

1. Install Node v15.7.0 and NPM 7.4.3 via nvm.

2. Log in to GitHub Packages with the command:

   npm login --scope=@my-org --registry=https://npm.pkg.github.com

3. Check our ~/.npmrc file in our home folder. It should read:

   @my-org:registry=https://npm.pkg.github.com/
   //npm.pkg.github.com/:_authToken=<auth-token-used-for-login>
   

4. Create project with the following package.json:

   {
     "name": "@my-org/my-package",
     "description": "A test.",
     "version": "1.0.0",
     "scripts": {
       "test": "echo \"Error: no test specified\" && exit 1"
     },
     "repository": {
       "type": "git",
       "url": "https://github.com/my-org/my-package.git"
     },
     "keywords": ["example"],
     "author": "Me",
     "license": "ISC",
     "bugs": {
       "url": "https://github.com/my-org/my-package/issues"
     },
     "homepage": "https://github.com/my-org/my-package",
     "dependencies": {
       "bootstrap": "^4.5.2"
     }
   }

5. Add the following .npmrc to our project:

   @my-org:registry=https://npm.pkg.github.com/
   

6. Run npm install. Installation should succeed.

7. Run npm publish. Receive the following error:

   npm ERR! code ENEEDAUTH
   npm ERR! need auth This command requires you to be logged in.
   npm ERR! need auth You need to authorize this machine using `npm adduser`
   
   npm ERR! A complete log of this run can be found in:
   npm ERR!     /Users/my-user/.npm/_logs/2021-01-28T20_19_55_974Z-debug.log

8. Change the project .npmrc to:

   registry=https://npm.pkg.github.com/my-org/
   

9. Run npm publish. Publishing should succeed.

10. rm -rf node_modules/ package-lock.json in project.

11. Run npm install. Receive following error:

    npm ERR! code E401
    npm ERR! Incorrect or missing password.
    npm ERR! If you were trying to login, change your password, create an
    npm ERR! authentication token or enable two-factor authentication then
    npm ERR! that means you likely typed your password in incorrectly.
    npm ERR! Please try again, or recover your password at:
    npm ERR!     https://www.npmjs.com/forgot
    npm ERR!
    npm ERR! If you were doing some other operation then your saved credentials are
    npm ERR! probably out of date. To correct this please try logging in again with:
    npm ERR!     npm login
    
    npm ERR! A complete log of this run can be found in:
    npm ERR!     /Users/my-user/.npm/_logs/2021-01-28T20_38_20_711Z-debug.log
    

Environment:

• OS:
  • MacOS Catalina 10.15.7 (Intel Mac Mini)
  • MacOS Big Sur 11.1 (Apple Silicon MacBook AIr)
• Node: 15.7.0
• npm:
  • 7.4.3
  • 7.5.2

[jordanthornquest]

Using publishConfig does not fix the issue with either .npmrc configuration. However, using the command-line --registry flag works.

When using the following project .npmrc syntax:

@my-org:registry=https://npm.pkg.github.com/

If I run npm publish --registry=https://npm.pkg.github.com/, I can publish successfully. In addition, I can install dependencies without issue.

[wraithgar]

I'm having trouble replicating this locally. I can publish just fine using the config setup mentioned.

Here's the output of npm config list

$ npm config list
; "builtin" config from /Users/wraithgar/.nvm/versions/node/v14.15.4/lib/node_modules/npm/npmrc

foo = "bar" 
pid = "6284" 

; "user" config from /Users/wraithgar/.npmrc

@npm:registry = "https://npm.pkg.github.com" 
; @wraithgar:registry = "https://npm.pkg.github.com" ; overridden by project
//npm.pkg.github.com/:_authToken = (protected) 
//registry.npmjs.org/:_authToken = (protected) 
init.author.email = "gar+npm@danger.computer" 
init.author.name = "Gar" 

; "project" config from /Users/wraithgar/Development/npm/gh-registry-test/.npmrc

@wraithgar:registry = "https://npm.pkg.github.com/" 

; "cli" config from command line options

omit = [] 
user-agent = "npm/7.5.2 node/v14.15.4 darwin x64" 

; node bin location = /Users/wraithgar/.nvm/versions/node/v14.15.4/bin/node
; cwd = /Users/wraithgar/Development/npm/gh-registry-test
; HOME = /Users/wraithgar
; Run `npm config ls -l` to show all defaults.

And the package.json

{
  "name": "@wraithgar/gh-registry-test",
  "version": "1.0.1",
  "description": "github registry test package",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "Gar <gar+npm@danger.computer>",
  "license": "ISC",
  "dependencies": {
    "bootstrap": "^4.6.0"
  }
}

With or without a package-lock, or having the packages installed, publishing works just fine.

Can you share the output of npm config list?

[jordanthornquest]

Sure thing. This is the output of running npm config list in my project.

; "user" config from /Users/jst/.npmrc

; @my-org:registry = "https://npm.pkg.github.com/" ; overridden by project
//npm.pkg.github.com/:_authToken = (protected)

; "project" config from /Users/jst/Code/my-project/.npmrc

@my-org:registry = "https://npm.pkg.github.com/"

; "cli" config from command line options

omit = []
user-agent = "npm/7.5.2 node/v15.7.0 darwin arm64"

; node bin location = /Users/jst/.nvm/versions/node/v15.7.0/bin/node
; cwd = /Users/jst/Code/my-project
; HOME = /Users/jst
; Run `npm config ls -l` to show all defaults.

[robross0606]

I'm seeing something similar. npm v7 was just "released" and now all our npm publish calls are breaking to our locally scoped repository. Previously, doing these two commands would generate a usable .npmrc file for our environment:

npm config set @privatescope:registry https://my.server.org/repository/npm-internal/
npm adduser --registry=https://my.server.org/repository/npm-internal/ --always-auth

This still generates an .npmrc file that looks identical between npm v6 and npm v7.

@privatescope:registry =https://my.server.org/repository/npm-internal/
//my.server.org/repository/npm-internal/:_authToken=NpmToken.9fb28705-7e5b-3ea9-894b-06f7d898886c

However, attempting to use it fails on v7:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\user\AppData\Local\npm-cache\_logs\2021-02-02T20_51_38_576Z-debug.log

[robross0606]

I can also confirm that adding --registry= to the npm publish call temporarily works around the problem.