Allow to install packages from GitHub Packages without ~/.npmrc (_authToken)

[AlttiRi]

I totally dislike the requirement to have ~/.npmrc file with //npm.pkg.github.com/:_authToken=TOKEN content, where TOKEN is a token with the read:packages permission, in order to install a package from GitHub Packages.

It makes the installing such packages much difficult, more over it requires to have a GitHub account.
It's absolutely not user-friendly.

I want just to clone a project and install the deps with npm ci/npm i.

I don't want to go GitHub account settings, create a token, and put it in ~/.npmrc.

Why do I need an account if I can just download the package from the web site without even having an account?

Installing packages from NPM/PyPI/Maven/NuGet and other popular places does not require to have an account.
I just type a command and packages are installed. But not packages from GHP.

---

The having of the local .npmrc (with, for example, @alttiri:registry=https://npm.pkg.github.com) to define where the packages are hosted in the project folder is OK, since it is created once by the repo owner.

But requirement to have .npmrc with the token (only just for package reading) is not fine.

[mkvlrn-cm42]

Honestly, why is this still a thing?

I want to be able to yarn add my-package-on-github-packages without hassle, or to have a project where people will be able to just clone and install dependencies without having to add a token.

Who thought this would be a good idea?

[exisapra]

bump

[alexzaharia24]

Indeed, this is quite frustrating. We're using internal packages to our organisation and just added one of the packages as a dependency to one of our repos. Now every new npm install requires the token, which is a very poor developer experience.

[OktarinTentakel]

I agree, this is a catastrophe from a developer perspective. And does not even really make sense, because, if we have a public repo, we can install without any auth using the repo url directly anyway, which is just a little unusual to see in a package.json.

The package should support the same level of comfort as the repo it is based upon.

[shankar-ccm]

Even I am not able to install package with .npmrc, any sueggestions ??

I have github packages in my company private github account and I want to install those packages in another project using dependency in package.json and npm.

Below are the steps I am following.

created .npmrc file
registry=https://registry.npmjs.org/
@{scope}:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

added dependecy in package.json
"@{scope}/name": "1.0.3",

created PAT for organization

npm install in github action

name: Install Dependencies
run: |
npm cache clean --force
npm install
env:
NODE_AUTH_TOKEN: ${{ secrets.PAT_TOKEN }}
but I am getting 404 error like below

npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/@{scope}%2fname - Not found
npm ERR! 404
npm ERR! 404 '@{scope}/name@1.0.3' is not in this registry.

any suggestions or solutions are appreciated.

[thecodeinfluencer]

It's 2024 and apparently you still cannot install public packages from the GitHub npm registry without being authenticated. Can't even express the frustration.

As a workaround, I'm installing the actual Github repo as opposed to the package.

This is how:

Before

• Add .npmrc to specify the registry for the namespace

registry=https://registry.npmjs.org/
@thecodeinfluencer:registry=https://npm.pkg.github.com/

• Run npm install @thecodeinfluencer/sfc-wa-utils@0.0.5 and you get the error below:

npm ERR! code E401
npm ERR! 401 Unauthorized - GET https://npm.pkg.github.com/@thecodeinfluencer%2fsfc-wa-utils - authentication token not provided

npm ERR! A complete log of this run can be found in: /Users/mbaloo/.npm/_logs/2024-05-28T10_38_39_840Z-debug-0.log

After

• npm install https://github.com/thecodeinfluencer/sfc-wa-utils#286883f where the #286883f is the commit id that you can use for versioning instead of the @0.0.5

Hope it helps someone 🎉

[mkvlrn-cm42]

Yup, this is such a silly thing. Isn't npm part of github now? Or at least also under Microsoft? Just make it part of the UI somehow. Or, better yet, flip the switch that allows us to install packages without tokens.

[simonwo]

Absolutely bonkers that someone thinks this is a good way for this to work. Makes Github Packages completely unsuable for JS.

As a workaround we're having to use GitPkg.

[jcarlsonautomatiq]

Just ran into this today myself. Certainly just an environment NPM_AUTH_TOKEN or other github_token should be supported in a better or more environment based way...

[danielloader]

I'm still wondering why a classic token is still the only way to do this, I wouldn't care as much if I could use a Github App token like I do with Golang packages.

GitHub Packages only supports authentication using a personal access token (classic).

I thought classic tokens weren't a good idea any more? I don't want a user account and PAT purely for NPM packages in an org wide context.

github/roadmap#558