Comments (8)
I added logging of the auth (https://github.com/SimenB/npm-1/commit/77f31ce8eddcae08898dd670bece7c0d67de1a67) and the output is correct:
{ username: '[secure]',
password: 'redacted',
email: '[secure]',
alwaysAuth: true }
Other ideas about what I can test?
from npm.
Some more horrible logging shows that the structure of the auth
object is different between npm and this module.
This module:
verb request https://artifacts.schibsted.io/artifactory/api/npm/npm-virtual/@finn-no%2Ftest-semantic-release
verb request { auth:
verb request { username: '[secure]',
verb request password: 'redacted',
verb request email: '[secure]',
verb request alwaysAuth: true },
verb request method: 'GET',
verb request authed: true }
npm:
npm verb request https://artifacts.schibsted.io/artifactory/api/npm/npm-virtual/@finn-no%2ftest-semantic-release
npm verb request { auth:
npm verb request { scope: '//artifacts.schibsted.io/artifactory/api/npm/npm-virtual/',
npm verb request email: '[secure]',
npm verb request alwaysAuth: true,
npm verb request token: undefined,
npm verb request username: '[secure]',
npm verb request password: '[secure]',
npm verb request auth: '[secure]' },
npm verb request method: 'GET',
npm verb request authed: true }
So it seems like npm adds scope
, as well as auth
. Interesting fact is that travis puts secret
for everything npm
does, but not the password from this module. Meaning that the auth is actually exported already as secrets into the travis runtime, and I shouldn't have to authenticate manually...
I tried adding scope
and that didn't help, so I think I may have to try to set auth
. I think I'm done for the day, though.
Ideas?
from npm.
My shot in the dark is that you have to copy basically all of the login in here: https://github.com/npm/npm/blob/0cc9d89ed2d46745f91d746fda9d205fd39d3daa/lib/config/get-credentials-by-uri.js
from npm.
I set up auth like this: curl -u $ARTIFACTORY_USER:$ARTIFACTORY_PWD https://artifacts.schibsted.io/artifactory/api/npm/npm-virtual/auth/finn-no > .npmrc. I know this works as yarn right after it (which includes fetching dependencies only available on that Artifactory instance) succeeds.
Why doing that?
The plugin works, as documented, by setting NPM_USERNAME
, NPM_PASSWORD
and NPM_EMAIL
.
So just set NPM_USERNAME
to the value of ARTIFACTORY_USER
, NPM_PASSWORD
to the value of ARTIFACTORY_PWD
and NPM_EMAIL
with the email of your Artifcatory user.
Then in your .npmrc
just write:
always-auth = true
In addition we do not recommend to write your username and password in .npmrc
as it's a security risk. Anything else running on your CI would be able to read those value.
It might not be an issue in a private CI environment, but it is for everyone else.
from npm.
See PR
from npm.
Why doing that?
NPM_USERNAME
, NPM_PASSWORD
and NPM_EMAIL
are specifics for this plugin. I still have to have auth for yarn
/npm
to work.
So just set NPM_USERNAME to the value of ARTIFACTORY_USER, NPM_PASSWORD to the value of ARTIFACTORY_PWD and NPM_EMAIL with the email of your Artifcatory user.
I do that now. I had some weird setup before. Thanks for the help!
Then in your .npmrc just write:
I think that part's unnecessary, as npmrc has always-auth
for the registry I'm talking with. But setting it works. I'll try to send a PR 🙂
In addition we do not recommend to write your username and password in .npmrc as it's a security risk. Anything else running on your CI would be able to read those value.
This is a private CI, but I don't get why it's a risk (beyond what's currently possible). How is cat .npmrc
worse than echo $NPM_PASSWORD
?
from npm.
This is a private CI, but I don't get why it's a risk (beyond what's currently possible). How is cat .npmrc worse than echo $NPM_PASSWORD?
Because anyone can send a PR that will trigger a build and potentially expose the credentials wilt cat .npmrc
. That wouldn't be possible with echo $NPM_PASSWORD
as CI providers do not make environment variables available for PR with a base branch that comes from a different repo.
In addition writing credentials to .npmrc
makes it really easy to commit them by mistake. For example if you run semantic-release --dry-run
then git add .
and commit you would expose your credentials.
from npm.
The curl
happens on CI, not my local machine, sorry if that wasn't clear
from npm.
Related Issues (20)
- npm whoami failing HOT 3
- `package.json` version not updated, despite correct plugin ordering HOT 1
- Set --no-workspaces with npm version HOT 2
- Command failed with exit code 1: npm version 0.22.2 --userconfig HOT 2
- error on publishing HOT 1
- Publishing failed since update from [email protected] to [email protected] with files mentioned in .gitignore HOT 6
- Update a package.json in a sub folder
- CVE-2023-42282 HOT 1
- Support for custom package.json properties to write changelist entries
- NPM Audit Signatures issue on 11.0.3 HOT 2
- Failed step "prepare" of plugin "@semantic-release/npm" due to reading malformed path HOT 13
- ERR_INVALID_AUTH triggered by semantic-release npm despite not having this field set in checkout directory HOT 11
- semantic-release seems publishing twice and causing error. HOT 1
- Security Issue with out of date [email protected] found with SNYK HOT 3
- Array format/style is being changed HOT 3
- improve auth token resolution
- align approach for concatenating `.npmrc` files to better align with default npm behavior
- account for deprecation of `_auth` in existing `.npmrc` files
- Cannot set properties of null (setting 'peer') HOT 4
- npm ERR! log.http is not a function HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from npm.