Open MarcAurel opened 4 years ago
@MarcAurel could you try removing the entry for verdaccio
in credentials
? Think it should work without this if it's public. Adding it to creds might be confusing dependabot to try and add auth to the request.
@feelepxyz thank you for the quick answer!
I get the exact same error without the entry for verdaccio
in the settings... 😕
@MarcAurel could you log out the npm_response
from this method when requesting from verdaccio
to see if there's something unexpected there? https://github.com/dependabot/dependabot-core/blob/main/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb#L357
I finally managed to continue investigating this issue (thank you for your patience @feelepxyz ☺️).
This is not an authentication problem: some requests to verdaccio.mycompany.org
have a 404 status because some dependencies of our project are not published on our private npm registry. With the help of Yarn workspaces, these dependencies are located directly in our project.
Is this usecase covered by Dependabot?
Did you fix this issue?
I am experiencing the same with the following configuration :
{
"type" => "npm_registry",
"url" => "https://myRegistry/nodejs/content/groups/npm/"
}
This is the same URL I have in npm locally (npm config list
)
➜ ~ npm config list
; "user" config from /Users/yvaldess/.npmrc
registry = "https://myRegistry/nodejs/content/groups/npm/"
; node bin location = /Users/yeikel/.nvm/versions/node/v16.1.0/bin/node
; cwd = /Users/yeikel
; HOME = /Users/yeikel
; Run `npm config ls -l` to show all defaults.
➜ ~ npm config list
; "user" config from /Users/yeikel/.npmrc
registry = "https://myRegistry/nodejs/content/groups/npm/"
; node bin location = /Users/yvaldess/.nvm/versions/node/v16.1.0/bin/node
; cwd = /Users/yeikel
; HOME = /Users/yeikel
; Run `npm config ls -l` to show all defaults
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb:114:in `block in locked_registry'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb:114:in `each'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb:114:in `find'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb:114:in `locked_registry'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb:32:in `registry'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb:82:in `registry_url'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb:40:in `dependency_url'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:375:in `dependency_url'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:304:in `fetch_npm_response'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:285:in `npm_details'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:104:in `valid_npm_details?'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:35:in `latest_version_from_registry'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker.rb:180:in `latest_released_version'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker.rb:205:in `latest_version_details'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-npm_and_yarn-0.149.3/lib/dependabot/npm_and_yarn/update_checker.rb:23:in `latest_version'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-common-0.149.3/lib/dependabot/update_checkers/base.rb:231:in `numeric_version_up_to_date?'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-common-0.149.3/lib/dependabot/update_checkers/base.rb:189:in `version_up_to_date?'
/Users/yeikel/.rvm/gems/ruby-2.6.6/gems/dependabot-common-0.149.3/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
It seems to boil down to this :
def registry
locked_registry || first_registry_with_dependency_details
end
@feelepxyz Could you please help here?
Edit :
It ended up being a typo in my configuration. The configuration format is not very consistent.
For maven it is type and url but for NPM it is type and registry
Is this intentional?
credentials = [
{
"type" => "maven_repository",
"url" => "https://url"
},
{
"type" => "npm_registry",
"registry" => "url"
}
]
Edit 2 :
I had to remove HTTPS from my configuration because this https://github.com/dependabot/dependabot-core/blob/ecfabf6e7c1622b7a958df7f521cd2b533ca237f/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb#L82 adds the protocol again and the final URL looked like https://https://
That looks like a bug to me
One again, I did not see this behaviour in maven
I get the same error when accessing some public registries like the following example: Any solutions for this case?
- Updating @vue/test-utils (from 1.3.5)…/home/dependabot/dependabot-script/.bundle/gems/dependabot-npm_and_yarn-0.172.2/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:326:in `check_npm_response': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): registry.npmjs.org (Dependabot::PrivateSourceAuthenticationFailure)
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-npm_and_yarn-0.172.2/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:279:in `npm_details'
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-npm_and_yarn-0.172.2/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:108:in `valid_npm_details?'
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-npm_and_yarn-0.172.2/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:36:in `latest_version_from_registry'
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-npm_and_yarn-0.172.2/lib/dependabot/npm_and_yarn/update_checker.rb:180:in `latest_released_version'
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-npm_and_yarn-0.172.2/lib/dependabot/npm_and_yarn/update_checker.rb:205:in `latest_version_details'
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-npm_and_yarn-0.172.2/lib/dependabot/npm_and_yarn/update_checker.rb:23:in `latest_version'
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-common-0.172.2/lib/dependabot/update_checkers/base.rb:231:in `numeric_version_up_to_date?'
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-common-0.172.2/lib/dependabot/update_checkers/base.rb:189:in `version_up_to_date?'
from /home/dependabot/dependabot-script/.bundle/gems/dependabot-common-0.172.2/lib/dependabot/update_checkers/base.rb:33:in `up_to_date?'
from ./generic-update-script.rb:179:in `block in <main>'
from ./generic-update-script.rb:169:in `each'
from ./generic-update-script.rb:169:in `<main>'
I am trying to use Dependabot with Docker to maintain some JS repositories on a self-hosted Github Enterprise. I use the official
dependabot/dependabot-core
Docker image and a modifiedupdate-script.rb
with my Github and Github Enterprise tokens.The JS projects I want to maintain use a private npm registry (lets say
verdaccio.mycompany.org
) that does not need authentication at all. Here is the configuration I use inupdate-script.rb
:The command I run within my Docker container is the following:
And here is the error I get:
I have no difficulties to reach my private registry from the Docker container:
curl https://verdaccio.mycompany.org/react/
gives me similar results ashttps://registry.npmjs.org/react/
.Could you enlighten me on this? I am not a ruby developer, but I would be more than happy to contribute at my ability level if I have the opportunity.