Installing private package from Github Package registry using Yarn fails with not authorized

Question

This question is related to these. But none of the solutions worked for me.

• Yarn can't find private Github npm registry
• Installing private package from Github Package registry fails with not found/not authorized

I can install a package without issues with npm install @scope/package however I cannot do the same with yarn: yarn add @scope/package

yarn throws the following error: An unexpected error occurred: "https://npm.pkg.github.com/download/@scope/package/1.2.8/089b08cffb16074c210ec3a59b04de268ae1c7b3a0492dce110adee3ada05bdd: Request failed \"401 Unauthorized\"".

my .npmrc file looks like this: (tried with and without below .yarnrc)

registry=https://registry.npmjs.org/
//npm.pkg.github.com/:_authToken=MY_AUTHTOKEN
@scope:registry=https://npm.pkg.github.com/

I have tried adding this .yarnrc file:

registry "https://registry.npmjs.org"
"@scope:registry" "https://npm.pkg.github.com"

(without .yarnrc) I've tried this .npmrc file

registry=https://registry.yarnpkg.com/

@scope:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=MY_AUTHTOKEN
always-auth=true

Where MY_AUTHTOKEN is my Personal Access Token I've generated from Github. (it has access to everything in packages)

I have tried to:

• remove yarn.lock
• remove .yarnrc
• login with npm login using my PAT as the password
• logout of npm and removing global .npmrc and .yarnrc
• logging in with yarn login

In case of any confusion I'm not actually trying @scope and /package but my actual scope and package name.

I do have access to the scope and package on Github.

and again my first setup works just fine with npm. But I cannot get this working with yarn, and cannot find any valid existing solution on SO.

Answer 1

The following worked for me in .npmrc

@mvce-superstars:registry=https://npm.pkg.github.com

Using yarn v2, the following worked for me in .yarnrc.yml:

npmScopes:
  "mvce-superstars":
    npmAlwaysAuth: true
    npmAuthToken: xxx-xxx # optional
    npmRegistryServer: "https://npm.pkg.github.com"

Note

The scope name is lowercase. This is supposed to be the name of the owner of the repository (ex. MVCE-Superstars) where the package was published, but the name has to be all lower-cased.

---

The setup

Publishing

• I created a private copy of this hello-world repository.
• I copied over the above .npmrc OR .yarnrc.yml file into the repoository.
• Next I logged in using the npm login --registry=https://npm.pkg.github.com/ OR yarn npm login --scope=mvce-superstars command (skip if npmAuthToken is specified above)
• I entered my github user name, and my token (with scopes read:package, write:package, and repo) (skip if npmAuthToken is specified above)
• Finally, I pushed the package to my private repo using npm publish OR yarn npm publish

Output

npm notice 
npm notice 📦  @mvce-superstars/[email protected]
npm notice === Tarball Contents === 
npm notice 16.3kB example.gif   
npm notice 89B    bin.js        
npm notice 175B   lib/index.js  
npm notice 734B   package.json  
npm notice 2.0kB  yarn-error.log
npm notice 570B   Readme.md     
npm notice 167B   init.sh       
npm notice === Tarball Details === 
npm notice name:          @mvce-superstars/hello-world-npm        
npm notice version:       1.1.1                                   
npm notice package size:  14.3 kB                                 
npm notice unpacked size: 20.0 kB                                 
npm notice shasum:        5379c8030fa9c5f57e5baef67f2a8a784ce93361
npm notice integrity:     sha512-FAI/Wuy4gHW8C[...]FINQeIlZ+HDdg==
npm notice total files:   7                                       
npm notice 
+ @mvce-superstars/[email protected]

Downloading

• I create a new npm project using npm init (use-hello-world-npm)
• I copy the above .npmrc to the root of the folder
• Next I logout of npm (npm logout --registry=https://npm.pkg.github.com/) and log back in (npm login --registry=https://npm.pkg.github.com/), just to be sure
• Finally, I run yarn and like it was supposed to, it worked!

Output

yarn install v1.22.4
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 0.55s.

yarn v2

➤ YN0000: ┌ Resolution step
➤ YN0014: │ @mvce-superstars/hello-world-npm@npm:^1.1.1: Only some patterns can be imported from legacy lockfiles (not "https://npm.pkg.github.com/download/@mvce-superstars/hello-world-npm/1.1.1/426126f89734c2c76bfac0342c1de9c95ad003b6e905a7b9f9f745892c86da7a#5379c8030fa9c5f57e5baef67f2a8a784ce93361")
➤ YN0000: └ Completed in 0.55s
➤ YN0000: ┌ Fetch step
➤ YN0013: │ @mvce-superstars/hello-world-npm@npm:1.1.1::__archiveUrl=https%3A%2F%2Fnpm.pkg.github.com%2Fdownload%2F%40mvce-superstars%2Fhello-world-npm%2F1.1.1%2F426126f89734c2c76bfac0342c1de9c95ad003b6e905a7b9f9f745892c86da7a can't be found in the cache and will be fetched from the remote server
➤ YN0000: └ Completed in 1.3s
➤ YN0000: ┌ Link step
➤ YN0031: │ One or more node_modules have been detected and will be removed. This operation may take some time.
➤ YN0000: └ Completed
➤ YN0000: Done with warnings in 1.87s

Contents of folder after yarn

.
├── node_modules
│   └── @mvce-superstars
├── package.json
└── yarn.lock

And for good measure, I remove it (yarn remove @mvce-superstars/hello-world-npm):

yarn remove v1.22.4
[1/2] Removing module @mvce-superstars/hello-world-npm...
[2/2] Regenerating lockfile and installing missing dependencies...
success Uninstalled packages.
Done in 0.06s.

and add it again (yarn add @mvce-superstars/hello-world-npm):

yarn add v1.22.4
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
info Direct dependencies
└─ @mvce-superstars/[email protected]
info All dependencies
└─ @mvce-superstars/[email protected]
Done in 1.08s.

Sources:

• https://help.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-npm-for-use-with-github-packages
• https://gemfury.com/help/private-yarn/
• https://github.com/yarnpkg/yarn/issues/4451

Answer 2

You need only to use .npmrc in the root of your project with this content:

//npm.pkg.github.com/:_authToken=GITHUB_PERSONAL_TOKEN
@OWNER:registry=https://npm.pkg.github.com

Keep in mind that GITHUB_PERSONAL_TOKEN needs read:packages scope permissions in order to read the packages from your private repo.

Answer 3

I am adding an answer here because after a day of trying different variations of the solutions here and elsewhere, I found that my issue was something else.

My issue was that, while npm is not case sensitive with regards to package names, yarn is when it comes to authentication! 🤦‍♂️

So, using the example from this solution:

registry=https://registry.yarnpkg.com/

@GITHUB_USERNAME:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=AUTH_TOKEN
always-auth=true

I needed to ensure two things:

1. @GITHUB_USERNAME needs to match the case that you see on github and the name the package was published under. I.e., if your username is Pickle-Rick, you need to put @Pickle-Rick:registry=https://npm.pkg.github.com, not @pickle-rick or @Pickle-rick.

2. You need to match this casing in your package.json or your yarn add command - whichever you are using. For example:

   "@Pickle-Rick/schwifty": "^1.0.0" in package.json or yarn add @Pickle-Rick/schwifty.

I found this solution by digging through yarn github issues.