Latest release fails because `always-auth` is not a valid npm option

[jshields-squarespace]

Summary

The latest release of the plugins/npm Docker image (after #65) fails when trying to execute npm config set always-auth true, with the following error message:

npm ERR! `always-auth` is not a valid npm option

Cause

The Dockerfile for plugins/npm installs npm via RUN apk add --no-cache git nodejs npm. In the latest version of plugins/npm, this installs NPM version 9.1.2. In the previous release of plugins/npm, this was NPM version 8.1.3.

Sometime between NPM 8.1.3 and 9.1.2, setting the always-auth option must have become an error.

It appears that always-auth was removed in NPM 7.11.1 (changelog, pull request), but setting it as a config option didn't return an error until NPM 9.0.0-pre.6 (changelog, pull request).

Repro Steps

To reproduce:

echo '{"name": "foobar", "version": "1.0.0"}' >package.json

docker pull plugins/npm:latest

docker run --rm \
  -e NPM_USERNAME=drone \
  -e NPM_PASSWORD=password \
  -e NPM_EMAIL=drone@drone.io \
  -v $(pwd):$(pwd) \
  -w $(pwd) \
  plugins/npm:latest

Output:

latest: Pulling from plugins/npm
Digest: sha256:5bf18853264a6ff85c87d1472fdc8ec181c5dd10161cfa744042259dbcfac5a7
Status: Image is up to date for plugins/npm:latest
docker.io/plugins/npm:latest

time="2022-12-15T21:56:27Z" level=info msg="Specified credentials" email=drone@drone.io username=drone
time="2022-12-15T21:56:27Z" level=info msg="Found package.json" name=foobar path=package.json version=1.0.0
time="2022-12-15T21:56:27Z" level=info msg="Specified credentials" email=drone@drone.io username=drone
time="2022-12-15T21:56:27Z" level=info msg="Writing npmrc" path=/root/.npmrc
+ npm --version
9.1.2
+ npm config set always-auth true
npm ERR! `always-auth` is not a valid npm option

Suggested Fix

Given that always-auth was seemingly removed in NPM 7.11.1, perhaps we can simply stop setting it in plugins/npm at this point.

Workaround

To work around this, you can request a previous version of plugins/npm by digest:

docker pull plugins/npm@sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a

docker run --rm \
  -e NPM_USERNAME=drone \
  -e NPM_PASSWORD=password \
  -e NPM_EMAIL=drone@drone.io \
  -v $(pwd):$(pwd) \
  -w $(pwd) \
  plugins/npm@sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a

Output:

docker.io/plugins/npm@sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a: Pulling from plugins/npm

Digest: sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a
Status: Image is up to date for plugins/npm@sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a
docker.io/plugins/npm@sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a

time="2022-12-15T22:10:32Z" level=info msg="Specified credentials" email=drone@drone.io username=drone
time="2022-12-15T22:10:32Z" level=info msg="Found package.json" name=foobar path=package.json version=1.0.0
time="2022-12-15T22:10:32Z" level=info msg="Specified credentials" email=drone@drone.io username=drone
time="2022-12-15T22:10:32Z" level=info msg="Writing npmrc" path=/root/.npmrc
+ npm --version
8.1.3
+ npm config set always-auth true
+ npm whoami
drone
+ npm view foobar versions --json
time="2022-12-15T22:10:34Z" level=info msg="Version found in the registry"
time="2022-12-15T22:10:34Z" level=info msg="Not publishing package"

[rhiaxion]

@tphoney could you take a look at this please? This is the second time this year that auto updates to npm have broken this plugin.

Also could we please get some versioned Docker image releases for this plugin so we can pin to a version instead of being at the mercy of the latest tag?

[snaemi]

I am also running into this issue and was able to use @jshields-squarespace's workaround (thanks!) of specifying the digest on the image, but within the yaml config file used for my Drone build. Here's a snippet of that for reference:

...

steps:
  - name: npm-publish
    image: plugins/npm@sha256:4f0ad309dd7438248ff3323439cc79f259b6bf7064d847766d769e0b440aec7a
    settings:
      username: user
      password:
        from_secret: password
      registry: "https://<private registry>"

...

[d1wilko]

ok - we will need to remove that always-auth code

I'm wondering if we need to move away from npm username and password and towards npm tokens - I'll look into this a bit - but we will remove the always auth piece for now - #67

[jshields-squarespace]

@d1wilko @tphoney Thank you both for taking a look!

I tested the new changes from #67. I think it fixes the problem for token-based auth, but there is a different error now for username and password-based auth, which also appears to be due to auth changes in NPM 9.

Running the same repro steps from the issue description now gives:

latest: Pulling from plugins/npm
Digest: sha256:73bc732d156baea86bacc3c5b067381dcbe558ce8bcd0b94a695028df1d82d53
Status: Image is up to date for plugins/npm:latest
docker.io/plugins/npm:latest

time="2022-12-20T15:17:53Z" level=info msg="Specified credentials" email=drone@drone.io username=drone
time="2022-12-20T15:17:53Z" level=info msg="Found package.json" name=foobar path=package.json version=1.0.0
time="2022-12-20T15:17:53Z" level=info msg="Specified credentials" email=drone@drone.io username=drone
time="2022-12-20T15:17:53Z" level=info msg="Writing npmrc" path=/root/.npmrc
+ npm --version
9.1.2
+ npm whoami
npm ERR! code ERR_INVALID_AUTH
npm ERR! Invalid auth configuration found: `_auth` must be renamed to `//registry.npmjs.org/:_auth` in user config
npm ERR! Please run `npm config fix` to repair your configuration.`

I think that's due to this change in NPM 9.0.0-pre5 (changelog, pull request):

the presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors

[ns-tinnehalim]

@d1wilko @tphoney Thank you both for taking a look!

I tested the new changes from #67. I think it fixes the problem for token-based auth, but there is a different error now for username and password-based auth, which also appears to be due to auth changes in NPM 9.

Running the same repro steps from the issue description now gives:

latest: Pulling from plugins/npm
Digest: sha256:73bc732d156baea86bacc3c5b067381dcbe558ce8bcd0b94a695028df1d82d53
Status: Image is up to date for plugins/npm:latest
docker.io/plugins/npm:latest

time="2022-12-20T15:17:53Z" level=info msg="Specified credentials" email=drone@drone.io username=drone
time="2022-12-20T15:17:53Z" level=info msg="Found package.json" name=foobar path=package.json version=1.0.0
time="2022-12-20T15:17:53Z" level=info msg="Specified credentials" email=drone@drone.io username=drone
time="2022-12-20T15:17:53Z" level=info msg="Writing npmrc" path=/root/.npmrc
+ npm --version
9.1.2
+ npm whoami
npm ERR! code ERR_INVALID_AUTH
npm ERR! Invalid auth configuration found: `_auth` must be renamed to `//registry.npmjs.org/:_auth` in user config
npm ERR! Please run `npm config fix` to repair your configuration.`

I think that's due to this change in NPM 9.0.0-pre5 (changelog, pull request):

the presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors

Confirmed publishing to private registry also not working for me after npm v9 update. Can we add auth-type legacy or update the plugin to add registry as prefix to auth?