Yesterday, I have upgraded Node.js to 0.12. Previously I have been using 0.10.35. One of the main differences is the version of npm being used. While 0.12 uses 2.5.1, 0.10.35 uses 1.4.28.
Now I try to install a private GitHub repo, that in turn again relies on private GitHub repos. Basically, I type something like this:
$ npm install -g myorg/myrepo
This worked perfectly with 1.4.28, but it fails with 2.5.1: It "fails" means that I get asked for my GitHub credentials for accessing GitHub via https (although I nowhere told npm that I would like to use https):
Username for 'https://github.com':
When I run
$ ssh -T [email protected]
SSH tells me that everything is fine, and GitHub tells me that I am authenticated. If I manually and explicitly install npm 1.4.28 under Node.js 0.12 using
$ npm install -g [email protected]
and try to rerun npm install again, everything is fine. If I switch back to 2.5.1, it doesn't work any more. So, obviously something has changed between these two versions of npm with respect to how SSH authentication works with private GitHub repos.
What complicates this issue further is that this only happens when the module in the private Git repo relies on another private Git repo itself. In other words, if I have two private GitHub repos, foo and bar, and foo relies on bar, then
$ npm install myorg/bar
works, but
$ npm install myorg/foo
doesn't. In the package.json file of the foo repo I have a line as dependency like this:
"bar": "myorg/bar#1.2.3"
According to the documentation, when you try to install via a GitHub url, npm tries to clone from the https://... url. Was this different in older versions of npm?
Any hints?
PS: The same problem happens with io.js 1.1.0 and npm 2.4.1. Again, if I manually revert back to npm 1.4.28, it works.
PPS: I've also already run npm cache clean, but the effect stays the same.
I don't know if this behavior was changed intentionally. I know there have been changes to the github handling....
Rather than specifying your github dependencies as name/repo what happens if you explicitly ask for git+https://github.com/name/repo/ ?
If I use the git+https://github.com/name/repo/ syntax, I get the same behavior: npm asks me for my GitHub credentials, so apparently that's what's happening.
It works if you use git+ssh://....
So the question is whether this change was intentionally.
changed the title
Installing from a private GitHub repo fails with 2.x, succeeds with 1.4.x - why?
Default protocol for GitHub urls: SSH vs HTTPS
Feb 9, 2015
So the code in question is here:
https://github.com/npm/npm/blob/master/lib/cache/maybe-github.js#L9
First it tries a git:// url, if that fails, then it tires git+ssh://. That you're getting prompted for authorization on the former now is... unexpected.
Support for trying the former first was added in 8f77ea9, and ssh fallback (to support private repos) was added in a03622c.
It shouldn't be trying https at all. It doesn't have a code path for https. And none of this code has been changed since like 1.2.20 back in the middle of 2013.
This also matches my own testing:
$ npm -v
2.5.1
$ npm install npm/private-module --loglevel=info
And I see (amongst other things):
npm info maybeGithub Attempting npm/private-module from git://github.com/npm/private-module
npm verb git clone git://github.com/npm/private-module fatal: remote error:
npm verb git clone git://github.com/npm/private-module Repository not found.
npm info maybeGithub Attempting npm/private-module from git+ssh://[email protected]:npm/private-module
And the latter then goes on to succeed.
Could you rerun the command with --loglevel=silly and at least paste in the first few screens of output? Ideally the entire log file would be nice, but it'll be large, too large for github. (Some place, like dropbox, works well for them.)
As said, the problem only appears for dependencies listed in package.json. If you try to install something that has no dependencies to a private repo from CLI using
$ npm install myorg/myrepo
everything works fine :-). So apparently a string in the form myorg/myrepo is handled differently on the CLI and within package.json.
I think it may be related to this line, and this line was changed in June 2014. But as said, I'm not sure about this one.
I'll provide the log and post the URL here.
Okay, I've uploaded the log here.
I've changed a few names (of course, my GitHub org is not myorg and the repo in question is not called myrepo), and I've removed the contents of the README.md file, but the rest is left untouched.
And you can very nicely see the problems:
The module I try to install gets downloaded using git+ssh as expected
Then you can see that one of the dependencies gets written as git+https, although the package.json states: "myrepo-client-js": "myorg/myrepo-client-js#0.5.0"
This then leads to wrong data here and here.
Then the clone command for the dependency is set up wrong.
Finally, npm waits for me to enter the credentials and hangs until you shut it down using Ctrl+C.
Oh, I missed the "only effects package.json entries". My first guess would be that read-package-json and in turn normalize-package-data would be to blame. And indeed github-url-from-username-repo is then called from there and did in fact introduce just this sort of change in c535edd– but that's been with us since v1.4.15.
This is better handled in one place, in the caching code (the fact that
it's in two places is the ultimate cause for npm/npm#7630 and
npm/npm#7302).
This is a breaking change, and therefore semver-major.
Ugh, this is a problem inside my docker container-based build (but works fine on my OSX host):
npm -v
3.10.3
node -v
v6.5.0
@iarna This has been a problem for quite some time. Is it that this isn't going to change?
[email protected]. same issue here.
I have an https:// url in the package.json dependencies, when i do "npm i", i get:
PATH_TOGIT\git.EXE ls-remote -h -t ssh://[email protected]/user/repo.git
which fails.
bump to 3.7.1 w /dist/ files compiled, yarn.lock removed, updated release workflow issue template
publiclab/image-sequencer#2036
