yarn add for scoped package against private registry with creds for public npm fails

[seansfkelley]

The title is a bit of a mouthful. In more words: when .npmrc (or, presumably, .yarnrc) are configured with both a private registry URL and an auth token for publishing to public npm, installing scoped packages breaks. The private registry in question here is Artifactory, and the going theory is that Yarn is sending the creds (inappropriately: the config is for two different URLs), which Artifactory is not happy about, and 401s (since the creds are for public npm, not Artifactory). I'm not sure why scoped packages would be treated differently, as it works fine otherwise.

Following is some commands to illustrate:

> pwd
~

> cat .yarnrc
cat: .yarnrc: No such file or directory

> cat .npmrc
registry=<private registry URL that works fine with npm and non-scoped packages>
//registry.npmjs.org/:_authToken=<my auth token>

> yarn add @types/d3-scale --verbose
yarn add v0.19.1
info No lockfile found.
verbose Performing "GET" request to "https://yarnpkg.com/latest-version".
[1/4] 🔍  Resolving packages...
verbose Performing "GET" request to "<correct private registry URL ...>/@types%2fd3-scale".
verbose Request "<correct private registry URL ...>/@types%2fd3-scale" finished with status code 401.
verbose Error: Couldn't find package "@types/d3-scale" on the "npm" registry.
    at MessageError (/usr/local/Cellar/yarn/0.19.1/libexec/lib/node_modules/yarn/lib/errors.js:8:5)
    at /usr/local/Cellar/yarn/0.19.1/libexec/lib/node_modules/yarn/lib/resolvers/registries/npm-resolver.js:207:15
    at next (native)
    at step (/usr/local/Cellar/yarn/0.19.1/libexec/lib/node_modules/yarn/node_modules/babel-runtime/helpers/asyncToGenerator.js:17:30)
    at /usr/local/Cellar/yarn/0.19.1/libexec/lib/node_modules/yarn/node_modules/babel-runtime/helpers/asyncToGenerator.js:28:13
    at process._tickCallback (internal/process/next_tick.js:103:7)
error Couldn't find package "@types/d3-scale" on the "npm" registry.
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

> npm install @types/d3-scale
~
└─┬ @types/d3-scale@1.0.6 
  └── @types/d3-time@1.0.5 

> yarn add d3-scale          
yarn add v0.19.1
info No lockfile found.
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 📃  Building fresh packages...
success Saved lockfile.
success Saved 8 new dependencies.
├─ d3-array@1.0.2
├─ d3-collection@1.0.2
├─ d3-color@1.0.2
├─ d3-format@1.0.2
├─ d3-interpolate@1.1.3
├─ d3-scale@1.0.4
├─ d3-time-format@2.0.3
└─ d3-time@1.0.4
✨  Done in 2.45s.

# edit .npmrc...

> cat .npmrc 
registry=<same registry URL>

> yarn add @types/d3-scale 
yarn add v0.19.1
warning No license field
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 📃  Building fresh packages...
success Saved lockfile.
success Saved 2 new dependencies.
├─ @types/d3-scale@1.0.6
└─ @types/d3-time@1.0.5
warning No license field
✨  Done in 1.50s.

[bluekeyes]

For additional background, the Artifactory instance is configured to allow anonymous access. If you provide no credentials, you can read whatever you like. If you provide any credentials, Artifactory attempts to validate them and returns the 401 status (in this case, because the user does not exist.)

[AndyMoreland]

I think this is the offending line of code: https://github.com/yarnpkg/yarn/blob/master/src/registries/npm-registry.js#L56 (the last clause).

Reading in context it seems like the author assumes that "scoped" implies "authenticated".

[KubaZ]

Had exact same issue last friday, had to remove auth token from ~/.npmrc to be able to download scoped package from local artifactory.