Yarn not authenticating when "npm:" alias version points to authenticated package

[tinydylan]

Bug description

Yarn is not using authentication when an aliased dependency points to a package that requires authentication.

I'm using an aliased package in my package.json, like this:

$ cat package.json 
{
  "dependencies": {
    "tinymce": "yarn:@rtc/tinymce"
  }
}

@rtc/tinymce is a package that requires authentication. However, yarn does not appear to be sending any authentication.

It works fine if I use a normal dependency like this:

$ cat package.json 
{
  "dependencies": {
    "@rtc/tinymce": "latest"
  }
}

In both scenarios, I have a .yarnrc file:

"@rtc:registry" "https://my-npm-host/tiny/rtc/"

and I have the relevant auth token in ~/.npmrc.

Command

With the above package.json, I run:

yarn install
rm -rf node_modules
yarn cache clean --pattern '@rtc/*'
yarn install --frozen-lockfile

What is the current behavior?
Yarn is not sending authentication when I run yarn install --frozen-lockfile. This is causing a 401 error.

$ yarn install
yarn install v1.22.4
warning package.json: No license field
warning No license field
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
error An unexpected error occurred: "https://my-npm-host/tiny/rtc/@rtc/tinymce/-/5.3.0-rtc-build.1/tinymce-5.3.0-rtc-build.1.tgz: Request failed \"401 Unauthorized\"".
info If you think this is a bug, please open a bug report with the information provided in "/Users/dylan/tmp/testcase/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

What is the expected behavior?
The authentication is sent through correctly.

Steps to Reproduce
Unfortunately, I'm unable to provide a public replication case - by nature, this requires an authenticated service. I've been testing with CloudSmith as an example.

1. Use a package.json .yarnrc and ~/.npmrc as described above.
2. Run the command above

Environment

• Node Version: 13.12.0
• Yarn v1 Version: 1.22.4
• OS and version: macOS 10.15.4

Also tested on:

• Node Version: 10.20.1
• Yarn v1 Version: 1.22.4
• OS and version: Centos 7

[tinydylan]

I did some console.log debugging in my test case.

see: https://github.com/yarnpkg/yarn/blob/master/src/registries/npm-registry.js#L165

    // this.token must be checked to account for publish requests on non-scoped packages
    if (this.token || (isToRegistry && (alwaysAuth || this.isScopedPackage(packageIdent)))) {
      const authorization = this.getAuth(packageIdent);
      if (authorization) {
        headers.authorization = authorization;
      }
    }

It gets into the first if block, but packageIdent = "tinymce", which doesn't need authentication. At this point, we need it to get the authentication for the aliased package name @rtc/tinymce.

[ebenoist]

Seeing the same thing here. Is there a known workaround? npm does do the right thing here. I can also confirm that yarn does not offer the token for aliased repositories.

[tinydylan]

We found the following workaround:

{
  "dependencies": {
    "@rtc/tinymce": "^1.2.3",
    "tinymce": "yarn:@rtc/tinymce"
  }
}

With this, yarn seems to download "@rtc/tinymce": "^1.2.3", first, then cache it, then when it tries to load "tinymce": "yarn:@rtc/tinymce", it loads it from the cache.

[alexk111]

It was pretty annoying to apply the modification to multi-level dependencies, but it's better than non-working aliases :) I confirm that the workaround proposed by @tinydylan fixes the issue.

[merceyz]

Closing as fixed in v2

https://yarnpkg.com/getting-started/migration

[trippingtarballs]

Thank you @tinydylan. However, for me at least, an alternative solution (provided by @austin-rausch) was much more appropriate – I am using package aliases to import multiple versions of the same package.

[gamedevsam]

There's plenty of people sill using [email protected] - this should be fixed imo. Just ran into this issue and spent half a day trying to figure out what was causing it.