Why support of legacy auth was dropped?

semantic-release / npm

:ship: semantic-release plugin to publish a npm package

MIT License

244 stars 114 forks source link

Why support of legacy auth was dropped? #598

Open Tri0L opened 1 year ago

Tri0L commented 1 year ago

Hello.

I see that legacy auth was dropped few releases before. (https://github.com/semantic-release/npm/commit/51ab3c8b7bf6848080288a64af1b723ebf267ba6) Why?

Is there another way to use legacy auth? We use nexus, and authToken not supported yet.

travi commented 1 year ago

https://github.com/semantic-release/npm/pull/538#issuecomment-1356057959 captures most of the reasoning behind the decision. nexus continuing to support only legacy auth is new information and their current documentation appears to confirm, but is likely not enough to cause us to reverse our decision.

personally, using a registry that continues to require the use of a password would make me question its approach to authorization since it prevents the ability to reduce the level of access granted when leaked. i understand that recommending a registry switch is not a small task, but i would at least consider this a variable to consider when weighing continued use into the future. short of that, the best i can suggest is to continue use of the previous major version of the npm plugin, which has been stable for some time. however, we have no plans to continue maintenance of that version.

tehshin commented 1 year ago

I respect your decision but it is not always possible to switch out the registry within a company because it is used for other repositories besides npm and used by multiple departments.

I just want to simply add a workaround I implemented for our GitLab CI that doesn't require any changes in the plugin:

Based on the documentation we generate the base64 encoded string and store it in a Variable (Repository Settings > CI/CD)

In the pipeline configuration we update the npm config before executing semantic-release:

publish:
  script:
    - npm config set //nexus.url/repository/npm-private/:_auth=$NPM_TOKEN
    # not sure if this is needed, but to be safe we remove the token so the plugin doesn't pick it up
    - unset NPM_TOKEN
    - npx semantic-release

The way I understand it, the plugin will pick up the existing //nexus.url/repository/npm-private/:_auth config and skip appending the token itself.

I hope this helpful for some poor soul. :)

ashishshah-ac commented 1 month ago

That soul is me and this is the exact use case. Thank you for the helpful comment. Using the following to generate NPM_TOKEN

npm config set _auth="$(echo -n $NEXUS_USERNAME:$NEXUS_PASSWORD' | base64)"

Another thing was setting:

export NPM_TOKEN="$(echo -n $NEXUS_USERNAME:$NEXUS_PASSWORD' | base64)"