search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.37k stars 2.72k forks source link

Yarn doesn't send authorization header when resolution swaps an unscoped package for a scoped package #8967

Open KristjanTammekivi opened 11 months ago

KristjanTammekivi commented 11 months ago

Hi,

I swapped out a package for a private forked version and started getting 404 errors in CI. After a lot of debugging I found that it happens because yarn checks for isScopedPackage on the original package name, not the replaced one. https://github.com/yarnpkg/yarn/blob/master/src/registries/npm-registry.js#L164

How to replicate: Swap out an unscoped package for a private scoped package. 

"resolutions": {
        "**/somepackage": "npm:@someorg/somepackage@*"
    },

run yarn This will work the first time, but running yarn cache clean && rm -rf node_modules && yarn will produce 404

mlazari commented 6 months ago

I see a similar issue, for something like:

dependencies: {
  "somepackage": "npm:@someorg/somepackage@^0.1.2",
}

Getting a 403 Forbidden error on yarn install. npm i works without errors.

kamil-sienkiewicz-asi commented 2 months ago

Same here, getting 403 when running yarn install with already existing yarn.lock without yarn.lock its working normally.