ArtifactoryNpm@2 task fails after npm version 9.x changed authentication method

[UIQA]

Describe the bug

Hello, We successfully used ArtifactoryNpm@2 task in Azure DevOps pipeline for a long time until npm@9 arrived. Currently, our tests fail because the ERR_INVALID_AUTH error.

Could you please fix this error? Thank you!

Current behavior

npm ERR! code ERR_INVALID_AUTH npm ERR! Invalid auth configuration found: _auth must be renamed to //qusw.jfrog.io/artifactory/api/npm/:_auth in project config npm ERR! Please run npm config fix to repair your configuration.`

Reproduction steps

Please, run the following pipeline Azure Devops:

name: ArtifactoryNpmTests trigger: none pool: vmImage: 'ubuntu-latest'

steps:

• task: ArtifactoryNpm@2 displayName: 'Artifactory npm install' inputs: artifactoryService: 'Jfrog service connection here' sourceRepo: 'npm-virtual'

Expected behavior

ArtifactoryNpm@2 will run successfully.

Azure DevOps extension name and version

JFrog Artifactory version 1.13.6

JFrog CLI version

1.53.2

Operating system type and version

ubuntu-latest

JFrog Artifactory version (if relevant)

1.13.6

JFrog Xray version (if relevant)

No response

JFrog Distribution version (if relevant)

No response

[bkaidbb]

Ran into this as well. Worked around it temporarily by making sure Node version 18.13.0 which uses npm 8 still by default was installed (using either nvm or NodeTool@0).

[UIQA]

thank you @bkaidbb - we also temporally install npm@8 for now before running the task and tests. But need run tests on npm@9.

[yahavi]

@UIQA @bkaidbb , Thanks for reporting this issue. We fixed it in https://github.com/jfrog/jfrog-cli-core/pull/695, which is included in JFrog CLI v2.29.6. JFrog Azure DevOps extension v2.4.1 already uses this CLI version by default. To use the latest npm task version, you can install the JFrog Azure DevOps extension side by side with the old extension and switch to the new npm task. For more information read here.

We'd appreciate your feedback on that.

[bkaidbb]

Switching from ArtifactoryNpm@2 to JFrogNpm@1 seems to work now and pulls the newer JFrog CLI as you mentioned. Thanks!

[UIQA]

Thank you, @yahavi I used JFrogNpm@1 task and it failed with the following error: 02:25:31 [Info] Running npm install. npm WARN old lockfile npm WARN old lockfile The package-lock.json file was created with an old version of npm, npm WARN old lockfile so supplemental metadata must be fetched from the registry. npm WARN old lockfile npm WARN old lockfile This is a one-time fix-up, please be patient... npm WARN old lockfile npm ERR! code E401 npm ERR! Incorrect or missing password. npm ERR! If you were trying to login, change your password, create an npm ERR! authentication token or enable two-factor authentication then npm ERR! that means you likely typed your password in incorrectly. npm ERR! Please try again, or recover your password at: npm ERR! https://www.npmjs.com/forgot npm ERR! npm ERR! If you were doing some other operation then your saved credentials are npm ERR! probably out of date. To correct this please try logging in again with: npm ERR! npm login

[UIQA]

Hello!

Do you have any update on this issue?

Thanks

[sverdlov93]

Hi @UIQA , Do you manage to run plain npm install successfully, without jfrog task? Can you remove the package-lock file from your project and let the command run?

[UIQA]

Hi @sverdlov93 , Yes, plain npm install runs successfully. And yes, JFrogNpm@1 task runs successfully if I delete package-lock file. But I am looking for the way to save it, I mean the existing package-lock file. We not ready to get read of it yet. Is there any work around?

Thank you

[sverdlov93]

@UIQA I believe that your old package-lock contains fields with URLs that contain the default npm registry or a different registry than the one you use on the JFrog Azure task. So the npm install command fails when trying to install that package-lock. The same would happen if you will update your npmrc locally and run a plain npm install. You should delete your old package-lock and push the new package-lock created by jf npm install with the JFrog registry.

[pastinepolenta]

Any plan to fix it in ArtifactoryNpm@2 or is JFrogNpm@1 now a requirement? we have multiple repos depending on it

[biolauri]

According to the description of the Azure Pipelines Extension (called JFrog Artifactory) behind ArtifactoryNpm@2, this extension has been deprecated, will not be supported anymore and everyone has to switch to the extension behind JFrogNpm@1, simply called JFrog. The old extension has not been updated since March 2022, the new one still receives updates.

The legacy/deprecated JFrog Artifactory plugin (ArtifactoryNpm@2) only supports Node until version 16, because later Node versions are shipped with NPM v9 or greater.

The changes including the mentioned error are described in official JFrog help on login behavior changes regarding npm v9. The suggested fix (just run npm config fix) doesn't work with this Azure Pipelines Task, unfortunately, so there is no possibility around an update/switch.