Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why support of legacy auth was dropped? #598

Open
Tri0L opened this issue Mar 31, 2023 · 3 comments
Open

Why support of legacy auth was dropped? #598

Tri0L opened this issue Mar 31, 2023 · 3 comments

Comments

@Tri0L
Copy link

Tri0L commented Mar 31, 2023

Hello.

I see that legacy auth was dropped few releases before. (51ab3c8)
Why?

Is there another way to use legacy auth? We use nexus, and authToken not supported yet.

@travi
Copy link
Member

travi commented Mar 31, 2023

#538 (comment) captures most of the reasoning behind the decision. nexus continuing to support only legacy auth is new information and their current documentation appears to confirm, but is likely not enough to cause us to reverse our decision.

personally, using a registry that continues to require the use of a password would make me question its approach to authorization since it prevents the ability to reduce the level of access granted when leaked. i understand that recommending a registry switch is not a small task, but i would at least consider this a variable to consider when weighing continued use into the future. short of that, the best i can suggest is to continue use of the previous major version of the npm plugin, which has been stable for some time. however, we have no plans to continue maintenance of that version.

@tehshin
Copy link

tehshin commented May 19, 2023

I respect your decision but it is not always possible to switch out the registry within a company because it is used for other repositories besides npm and used by multiple departments.

I just want to simply add a workaround I implemented for our GitLab CI that doesn't require any changes in the plugin:

Based on the documentation we generate the base64 encoded string and store it in a Variable (Repository Settings > CI/CD)

In the pipeline configuration we update the npm config before executing semantic-release:

publish:
  script:
    - npm config set //nexus.url/repository/npm-private/:_auth=$NPM_TOKEN
    # not sure if this is needed, but to be safe we remove the token so the plugin doesn't pick it up
    - unset NPM_TOKEN
    - npx semantic-release

The way I understand it, the plugin will pick up the existing //nexus.url/repository/npm-private/:_auth config and skip appending the token itself.

I hope this helpful for some poor soul. :)

@ashishshah-ac
Copy link

ashishshah-ac commented Aug 22, 2024

That soul is me and this is the exact use case. Thank you for the helpful comment. Using the following to generate NPM_TOKEN

npm config set _auth="$(echo -n $NEXUS_USERNAME:$NEXUS_PASSWORD' | base64)"

Another thing was setting:

export NPM_TOKEN="$(echo -n $NEXUS_USERNAME:$NEXUS_PASSWORD' | base64)"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants