-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guided remediation for npm (osv-scanner fix
) failed to resolve private dependencies
#899
Comments
Hi, thanks for trying this! Can you try using |
Thanks for the pointer! I tried The private registry token is in Note that this is not private npm-hosted package, but a different storage provider with compatible NPM APIs. |
osv-scanner fix
) failed to resolve private depdendenciesosv-scanner fix
) failed to resolve private dependencies
@michaelkedar can you take a look? |
It should be setting the I assumed the Authorization header would be enough, but it's possible that it's looking at some other headers for verification. Do you know/is it possible to share what your underlying storage provider is built on (e.g. Verdaccio seems to work as-is with just the auth header) I guess it's also possible that the authToken isn't being correctly read. Is it possible to share how the registry & auth lines appear in your |
Hi @michaelkedar, thanks for taking a look. Sorry I made a mistake in my earlier comment, as my config is using Basic Auth with token-like pasword. The token is passed via username/password pair, so I suspect it should be passed in
Here are a few more examples with basic auth:
The API is similar to Jfrog/Artifactory, but it's compatible with basic npm commands like |
@khai-tran I think I know what the issue is: While I work out how to allow for per-path authentication, you could temporarily replace/override your
Note that this will mean guided remediation will send the auth header with every request it makes to that hostname - it won't work if there's a second registry on the same host that requires different authentication. |
Thanks for taking a look! Unfortunately removing the web path broke |
Just to confirm, the following breaks on your npm? # include the paths on registry
@org:registry=https://hostname/node/virtual/
registry=https://hostname/node/virtual/
# exclude the paths on auth (with or without trailing '/')
//hostname/:username=<username>
//hostname/:_password="<token>"
//hostname/:always-auth=true What version of npm are you using? |
with the above config (I missed trailing
that might suggest that auth work, but the path wasn't built correctly. |
Sorry, I forgot to include |
Thanks @khai-tran! @michaelkedar is fixing the underlying issue in #901. In the meantime, please let us know if you have any feedback or other issues! We're very keen to keep iterating on this new experimental feature. |
Should fix #899 Changed the npmrc parsing logic when using `--data-source=native` so that specifying registries with paths (e.g. `//my.registry/package/path:_authToken`) will now correctly add the authorization headers. Used [npm-registry-fetch](https://github.com/npm/npm-registry-fetch/tree/main) as reference.
#901 has been merged now, which should allow the authorization headers to be correctly set with your original |
Thanks so much @michaelkedar and @oliverchang! |
It looks like the guide doesn't work when my project has private dependencies. After some digging, I found out that the root cause is the guide's reliance on deps.dev, which can't access those private packages.
To reproduce, simply include any private dependencies in
package.json
and runosv-scanner fix -M package.json
.The error was:
cannot find matching versions for ^<version>: package NPM:@<package>: not found
I've got a couple ideas on how to tackle this:
What do you think? I'd love to hear your thoughts on the best way forward. Fixing this would be a big help for folks like me who use private dependencies.
Thanks for all your hard work on OSV-Scanner!
The text was updated successfully, but these errors were encountered: