Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] publish with workspaces doesn't respect access controls #7199

Closed
1 task done
tschaub opened this issue Feb 3, 2024 · 3 comments · Fixed by #7564
Closed
1 task done

[BUG] publish with workspaces doesn't respect access controls #7199

tschaub opened this issue Feb 3, 2024 · 3 comments · Fixed by #7564
Assignees
@milaninfy
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 10.x

Comments

@tschaub
Copy link

tschaub commented Feb 3, 2024
edited
Loading

Is there an existing issue for this?

It looks like this is the same issue as #3268, although the error I'm getting is different, and it appears that the fix in 4a4fbe3 is specific to the error.

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

I am trying to use workspaces where a number of the packages should not be published (they have "private": true in their package.json). I would like to run a single command that publishes all of the non-private packages. I was hoping this would work:

npm publish --workspaces

When I try this, I get this error:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to https://registry.npmjs.org/
npm ERR! need auth You need to authorize this machine using `npm adduser`

I found #3268 and was hoping that #3285 might have addressed the issue, but it that fix was specific to the EPRIVATE error code. In this case I am seeing ENEEDAUTH.

Expected Behavior

I was hoping that npm publish --workspaces could be used to publish all workspace packages except those that have "private": true in their package.json.

Steps To Reproduce

  1. create a package with two workspaces, one named do-not-publish and one named @example/package
  2. in the package.json for the do-not-publish package, add "private": true
  3. run npm logout && npm login --registry=https://npm.pkg.github.com --scope=@example
  4. run npm publish --workspaces
  5. See npm ERR! code ENEEDAUTH

It looks like the ENEEDAUTH error is thrown for the do-not-publish package even though it includes "private": true. I assume this only happens when the user is not already authenticated with the default registry. In my case, it is occurring in a CI job where an auth-token is only provided for a non-default registry (where the scoped packages are published).

Environment

  • npm: 10.2.4
  • Node.js: 21.5.0
@tschaub tschaub added Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x labels Feb 3, 2024
tschaub referenced this issue Feb 3, 2024
@ruyadorno @wraithgar
fix(publish): skip private workspaces
4a4fbe3 
Allow users to publish all workspaces with `npm publish --ws` while also
skipping any workspace that might have been intentionally marked as
private, using `"private": true` in its package.json file.

Fixes: #3268

PR-URL: #3285
Credit: @ruyadorno
Close: #3285
Reviewed-by: @wraithgar
@chehsunliu
Copy link

I just got this error today. I then renamed the workspace do-not-publish to @example/do-not-publish as a workaround. npm should first determine whether to publish, rather than authentication.

@tschaub
Copy link
Author

tschaub commented Apr 9, 2024

@chehsunliu - I arrived at the same workaround (giving everything the same scope). And I agree that it feels like npm should first determine what needs to be published and then only authenticate with registries for which there are packages to publish.

@lukekarrys lukekarrys added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels May 14, 2024
@milaninfy milaninfy self-assigned this May 24, 2024
@milaninfy milaninfy mentioned this issue May 28, 2024
Merged
wraithgar pushed a commit that referenced this issue May 29, 2024
@milaninfy
fix(publish): skip workspace packages marked private on publish (#7564)
e4c7a41 
`npm publish --workspaces` will skip workspace packages marked as
private in package.json.
Currently it's skipping those packages only when you have configured
auth for those packages, it would error out with `ENEEDAUTH` if it
doesn't find the valid auth information.

this fix checks for the private property before checking for auth for
the packages that will essentially not going to get published.

Fixes #7199
@vegeta321311

This comment was marked as spam.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@milaninfy milaninfy

Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 10.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(publish): skip workspace packages marked private on publish milaninfy/npm-cli
5 participants
@tschaub @lukekarrys @chehsunliu @milaninfy @vegeta321311