NPM private repository update token issue
🐞 Bug report
I have dependabot-gitlab-npm:2.0.0-alpha.3 standalone running in a GitLab pipeline, connected to the private Nexus NPM repository. Authorization seems to be working fine, but when the script tries updating, it fails with an NPM error about token (see below). When I try to use username/password, they seem to be ignored totally (I receive HTTP 401 all the time - the credentials are 100% correct).
I would expect the token authorization will work without any issues or username/password will show the same error (at least). Instead, I get:
[2023-08-16 09:17:12 +0000] DEBUG -- [dep-update: on***ui=>npm] [core] Received response from 'https://***/repository/***/luxon', status: 401
[2023-08-16 09:17:12 +0000] ERROR -- [dep-update: on***ui=>npm] The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): ***/repository/***/
Configuration for username/password (the credentials verified - I can log in with them):
version: 2
registries:
npm-memsource-group:
type: npm-registry
url: https://***/repository/***/
username: gitlab-ci
password: ${{NEXUS_PASSWORD}}
replaces-base: true
Any ideas?
GitLab task configuration
dependabot-gitlab:
needs: []
stage: maintenance
...
image:
name: docker.io/andrcuns/dependabot-gitlab-npm:2.0.0-alpha.3
entrypoint: ['']
variables:
GIT_STRATEGY: none
RAILS_ENV: production
SECRET_KEY_BASE: key
SETTINGS__GITLAB_URL: $CI_SERVER_URL
SETTINGS__GITLAB_ACCESS_TOKEN: $GITLAB_ACCESS_TOKEN
SETTINGS__STANDALONE: 'true'
SETTINGS__LOG_COLOR: 'true'
SETTINGS__LOG_LEVEL: 'debug'
SETTINGS__CONFIG_BRANCH: 'dependabot-test'
SETTINGS__DRY_RUN: 'true'
script:
- cd /home/dependabot/app
- bundle exec rake "dependabot:update[$CI_PROJECT_PATH,npm,/]"
Is there an existing issue for this?
Please search existing issues to avoid creating duplicates
-
I have searched the existing issues
dependabot.yml
version: 2
registries:
npm-registry:
type: npm-registry
url: https://***/repository/***/
token: ${{NEXUS_TOKEN}}
replaces-base: true
updates:
- package-ecosystem: 'npm'
open-pull-requests-limit: 20
commit-message:
prefix: 'dependabot: [ci skip] '
directory: '/'
schedule:
interval: 'monthly'
registries:
- npm-registry
Log output
2023-08-16 08:00:23 +0000] DEBUG -- [dep-update: on***ui=>npm] [core] Performing http :get request to 'https://***/repository/***/mitt'
[2023-08-16 08:00:23 +0000] DEBUG -- [dep-update: on***ui=>npm] [core] Received response from 'https://***/repository/***/mitt', status: 200
[2023-08-16 08:00:23 +0000] DEBUG -- [dep-update: on***ui=>npm] [core] Performing http :get request to 'https://***/repository/***/mitt/3.0.1'
[2023-08-16 08:00:23 +0000] DEBUG -- [dep-update: on***ui=>npm] [core] Received response from 'https://***/repository/***/mitt/3.0.1', status: 200
[2023-08-16 08:00:25 +0000] INFO -- [dep-update: on***ui=>npm] updating mitt: 3.0.0 => 3.0.1
[2023-08-16 08:00:28 +0000] ERROR -- [dep-update: on***ui=>npm] npm WARN using --force Recommended protections disabled.
npm ERR! code ERR_INVALID_AUTH
npm ERR! Invalid auth configuration found: `_authToken` must be renamed to `//***/repository/***/:_authToken` in project config
npm ERR! Please run `npm config fix` to repair your configuration.`
npm ERR! A complete log of this run can be found in:
npm ERR! /home/dependabot/.npm/_logs/2023-08-16T08_00_28_090Z-debug-0.log