getNpmUsername prevents publish to private repo

[dlebedynskyi]

After 3.3.1 update getNpmUsername prevents publish to nexus private repo

Expected Behavior

allow to by pass getNpmUsername check. with 3.3.3

lerna publish --no-verify-access --no-verify-registry

allowed to bypass getNpmUsername check.

Current Behavior

lerna publish --no-verify-access --no-verify-registry
lerna not found. Trying with npx...
lerna notice cli v3.3.2
lerna info versioning independent
lerna info Verifying npm credentials
404 Not Found - GET https://nexus.*/repository/npm-group/-/whoami - Not found
lerna ERR! EWHOAMI Authentication error. Use `npm whoami` to troubleshoot.

Possible Solution

use --no-verify-access to disable getNpmUsername check

Steps to Reproduce (for bugs)

issue happens with nexus private repo. Not sure how to reproduce it otherwise.

Context

Had to revert to 3.3.0 for @lerna/* and deal with Current HEAD is already released, skipping change detection. issues.

Related issue on nexus project https://issues.sonatype.org/browse/NEXUS-13433

Your Environment

Executable	Version
lerna --version	3.3.1/3.3.0
npm --version	6.2.0
yarn --version	1.9.4
node --version	8.11.4

OS	Version
NAME	VERSION
macOS Sierra	10.13.6

[Timer]

This is preventing the usage of Lerna 3.x in Create React App as well.
I would've expected --no-verify-access to skip checking /-/whoami.

[adanilev]

I'm having this issue even after downgrading to 3.3.0.

$ lerna publish --no-verify-access --no-verify-registry --registry=https://nexus.XXX/repository/npm-test/
info cli using local version of lerna
lerna notice cli v3.3.0
lerna info versioning independent
lerna info Verifying npm credentials
404 Not Found - GET https://nexus.XXX/repository/npm-test/-/whoami - Package '--whoami' not found
lerna ERR! EWHOAMI Authentication error. Use `npm whoami` to troubleshoot.

[dlebedynskyi]

@adanilev there is a second problem actually.
you need @lerna/[email protected] version. by default lerna package installs @lerna/[email protected] as dependency. Since semver is ^ not ~ - minors work fine.
you need to manually edit .lock file to set @lerna/[email protected]
something like this in yarn.lock

"@lerna/[email protected]", "@lerna/publish@^3.3.2":
  version "3.3.2"
  resolved "https://nexus.*/repository/npm-group/@lerna/publish/-/publish-3.3.2.tgz#bfd54183dbbc3d8d3fdfcb8860af5dd1d7906689"
  dependencies:
    "@lerna/batch-packages" "^3.1.2"
    "@lerna/check-working-tree" "^3.3.0"
    "@lerna/child-process" "^3.3.0"
    "@lerna/collect-updates" "^3.3.2"
    "@lerna/command" "^3.3.0"
    "@lerna/describe-ref" "^3.3.0"
    "@lerna/get-npm-exec-opts" "^3.0.0"
    "@lerna/npm-dist-tag" "^3.3.0"
    "@lerna/npm-publish" "^3.3.1"
    "@lerna/output" "^3.0.0"
    "@lerna/prompt" "^3.3.1"
    "@lerna/run-lifecycle" "^3.3.1"
    "@lerna/run-parallel-batches" "^3.0.0"
    "@lerna/validation-error" "^3.0.0"
    "@lerna/version" "^3.3.2"
    fs-extra "^7.0.0"
    npm-package-arg "^6.0.0"
    npmlog "^4.1.2"
    p-finally "^1.0.0"
    p-map "^1.2.0"
    p-pipe "^1.2.0"
    p-reduce "^1.0.0"
    semver "^5.5.0"

[sarahatwork]

While we're waiting for a permanent fix, you can use yarn resolutions to solve this:

"resolutions": {
  "@lerna/publish": "3.2.1"
}

[adanilev]

Huzzah!! Thanks so much @dlebedynskyi and @sarahatwork. Used yarn resolutions and it works a treat.

lerna publish --no-verify-access --registry=https://nexus.XXX/repository/npm-test/

...and my package.json looks like:

  "devDependencies": {
    "lerna": "3.3.2",
  },
  "resolutions": {
    "@lerna/publish": "3.3.2"
  }

[jbockle]

having the similar issue with private npm repo in VSTS (Azure DevOps Artifacts)

lerna publish --no-verify-access
info cli using local version of lerna
lerna notice cli v3.4.0
lerna info Verifying npm credentials
404 Not Found - GET https://****.pkgs.visualstudio.com/_packaging/****/npm/registry/-/whoami
lerna ERR! EWHOAMI Authentication error. Use `npm whoami` to troubleshoot.

edit:
downgrading to 3.2.1 the issue still persist --no-verify-access is still attempting -/whoami

lerna notice cli v3.2.1
lerna info Verifying npm credentials
404 Not Found - GET https://****.pkgs.visualstudio.com/_packaging/****/npm/registry/-/whoami

[panjiesw]

@jbockle you also need to downgrade @lerna/publish package. If you're using Yarn, set "resolutions" mentioned above. If you're using NPM, just add "@lerna/publish": "3.3.2" in the root monorepo.

[jbockle]

@panjiesw thanks that did the trick

[ibezkrovnyi]

in our nexus repository /-/whoami is not implemented too.
currently we use workaround: lerna exec -- npm publish

btw:
> npm whoami
works, https://github.com/npm/cli/blob/latest/lib/whoami.js#L21 npm first checks if it has username in local config. And only if it doesn't it will check /-/whoami.

[ThisIsMissEm]

@ibezkrovnyi whilst npm whoami works, the issue comes from the fact that lerna doesn't actually use npm whoami under the hood, instead, it makes a direct call to /~/whoami

I'd say this is really a bug with the Nexus repository, instead of a bug with lerna

[ibezkrovnyi]

While I agree that this feature is not implemented in Nexus, unfortunately Nexus works fine for us as private npm registry (including native npm whoami) and thus, it is easier to recreate lerna publish with lerna exec.

Nexus JIRA for tracking: https://issues.sonatype.org/browse/NEXUS-13433

[ThisIsMissEm]

@ibezkrovnyi I think I have an idea.. could you share your local npm config? (I've never come across specifying a username before)

Of course, censor any password/login credential

[ThisIsMissEm]

Okay, I've dug into this further @ibezkrovnyi; This is no longer an issue as of lerna ˀ3.4.1`, please see this change: 06a9479#diff-56894a089f84980a542a859fbae4c47d

In other words, update lerna, and you'll be able to publish to your nexus registry.

[ibezkrovnyi]

Thanks for that, @ThisIsMissEm - will test latest Lerna tomorrow

[manchicken]

This bit me today on both 3.6.0 and 3.8.0. This doesn't appear to be resolved.

[ThisIsMissEm]

@manchicken you'll have to give a bit more information: what command did you run, what third-party registry are you using, what was the error given, and what does your npm config look like? (Replace any sensitive values with )

[manchicken]

I looked closer and it might be a problem with our nexus-with-npm install. Sorry for the false alarm.

[lucasowens]

I'm getting this error again with 3.8.1 with the following command. Publishing to MyGet.

lerna publish --conventional-commits -m 'chore(release): publish [ci skip]' --yes --ignore=lv --no-verify-access --no-verify-registry

[evocateur]

@lucasowens We need more details about the error, please. The lerna command alone is not sufficient. (what was the network error, what is your npm config, etc)

[evocateur]

Anyway, nevermind, gave up and skipped all the crap nexus and artifactory fail at. v3.8.4

[lucasowens]

Thank you @evocateur, v3.8.4 fixed my issue!

[lock]

This thread has been automatically locked because there has not been any recent activity after it was closed. Please open a new issue for related bugs.