yarnpkg/yarn

Private npm registry authentication issue on yarn.lock and package.json semver mismatch

Open

#5256 opened on Jan 20, 2018

View on GitHub
 (3 comments) (0 reactions) (1 assignee)JavaScript (41,514 stars) (2,731 forks)batch import
good first issuehelp wantedtriaged

Description

Do you want to request a feature or report a bug? BUG

What is the current behavior? Yarn does not authenticate with the private npm registry when the package.json and yarn.lock have a semver mismatch for a spesific package.

For example: yarn add css-hot-loader edit package.json and remove the carrot (^) from the version yarn install Result: Rejected 401, Unauthenticated

OS: Linux, Ubuntu (Heroku)

Contributor guide

Tech stack
javascriptnodejs
Domain
clideveloper experience
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
Familiarity with npm registries and authenticationUnderstanding of semver range resolution
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate the authentication flow in Yarn's resolver when resolving packages from a private registry. Focus on the interplay between package.json version ranges and yarn.lock locked versions. Look at relevant files such as src/resolvers/index.js and src/util/request manager.js. Check the issue comments for any prior investigation or maintainer notes.