Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] publish with workspaces doesn't respect access controls #7199

Closed
1 task done
tschaub opened this issue Feb 3, 2024 · 3 comments · Fixed by #7564
Closed
1 task done

[BUG] publish with workspaces doesn't respect access controls #7199

tschaub opened this issue Feb 3, 2024 · 3 comments · Fixed by #7564
Assignees
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 10.x

Comments

@tschaub
Copy link

tschaub commented Feb 3, 2024

Is there an existing issue for this?

It looks like this is the same issue as #3268, although the error I'm getting is different, and it appears that the fix in 4a4fbe3 is specific to the error.

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

I am trying to use workspaces where a number of the packages should not be published (they have "private": true in their package.json). I would like to run a single command that publishes all of the non-private packages. I was hoping this would work:

npm publish --workspaces

When I try this, I get this error:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to https://registry.npmjs.org/
npm ERR! need auth You need to authorize this machine using `npm adduser`

I found #3268 and was hoping that #3285 might have addressed the issue, but it that fix was specific to the EPRIVATE error code. In this case I am seeing ENEEDAUTH.

Expected Behavior

I was hoping that npm publish --workspaces could be used to publish all workspace packages except those that have "private": true in their package.json.

Steps To Reproduce

  1. create a package with two workspaces, one named do-not-publish and one named @example/package
  2. in the package.json for the do-not-publish package, add "private": true
  3. run npm logout && npm login --registry=https://npm.pkg.github.com --scope=@example
  4. run npm publish --workspaces
  5. See npm ERR! code ENEEDAUTH

It looks like the ENEEDAUTH error is thrown for the do-not-publish package even though it includes "private": true. I assume this only happens when the user is not already authenticated with the default registry. In my case, it is occurring in a CI job where an auth-token is only provided for a non-default registry (where the scoped packages are published).

Environment

  • npm: 10.2.4
  • Node.js: 21.5.0
@tschaub tschaub added Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x labels Feb 3, 2024
tschaub referenced this issue Feb 3, 2024
Allow users to publish all workspaces with `npm publish --ws` while also
skipping any workspace that might have been intentionally marked as
private, using `"private": true` in its package.json file.

Fixes: #3268

PR-URL: #3285
Credit: @ruyadorno
Close: #3285
Reviewed-by: @wraithgar
@chehsunliu
Copy link

I just got this error today. I then renamed the workspace do-not-publish to @example/do-not-publish as a workaround. npm should first determine whether to publish, rather than authentication.

@tschaub
Copy link
Author

tschaub commented Apr 9, 2024

@chehsunliu - I arrived at the same workaround (giving everything the same scope). And I agree that it feels like npm should first determine what needs to be published and then only authenticate with registries for which there are packages to publish.

@lukekarrys lukekarrys added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels May 14, 2024
@milaninfy milaninfy self-assigned this May 24, 2024
wraithgar pushed a commit that referenced this issue May 29, 2024
`npm publish --workspaces` will skip workspace packages marked as
private in package.json.
Currently it's skipping those packages only when you have configured
auth for those packages, it would error out with `ENEEDAUTH` if it
doesn't find the valid auth information.

this fix checks for the private property before checking for auth for
the packages that will essentially not going to get published.

Fixes #7199
@vegeta321311

This comment was marked as spam.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 10.x
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants