npm install from github leads to 401: GPR/NPM registry for public packages really needs realm/token?

Hi -

I am publishing my package to github package repository using my personal token using .npmrc, all fine.  Now I want that anyone can use this package in his package.json as easy as possible. But npm install fails with asking for authentication, even for a simple package install. I am wondering, if this is really the case or if I am missing something. The documentation points out that you need to authenticate first:  https://help.github.com/en/github/managing-packages-with-github-packages/configuring-npm-for-use-with-github-packages#installing-a-package.  But ther sources (e.g. stackexchange) mention, that for a simple install no authentication (GPR!) is needed - but I can’t make that work. I am also wondering, why it should be possible to browse, download and clone whole repos on github without authenticating, but you need credentials to use packages stored in GPR? This is too hard to believe, that users should get a token just to make a dependency work… so I am asking the question here:

Is it possible to npm install packages from the github package repository without authentication? 

Here is my setup in a minimal fasion: 

test@x1:~/t$<font color="#FF0000">npm install @element36-io/cash36-contracts@0.3.22</font>npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

npm ERR! A complete log of this run can be found in:
npm ERR! /home/test/.npm/_logs/2020-01-28T05_58_51_907Z-debug.log


test@x1:~/t$<font color="#FF0000">cat .npmrc</font>@element36-io:registry=https://npm.pkg.github.com/
registry=https://npm.pkg.github.com/element36-io

test@x1:~/t$<font color="#FF0000">cat package.json</font>{
"name": "cash36-npm",
"version": "0.0.1",
"description": "Used to link to cash36-contracts package on npm",
"scripts": {},
"devDependencies": {
"@element36-io/cash36-contracts": "^0.3.22"
}
}

thx

8 Likes

Hi @wstrametz,

Thank you for being here! Currently, you need to authenticate to download both public and private packages I’m afraid. We are investigating how, going forwards, maybe able to offer this functionality, however this could be a way off yet - I’ve added a +1 against this for you, and we’ll let you know as soon as we have an update that we can share surrounding this. Keep an eye on https://github.blog for all updates meanwhile.

1 Like

@andreagriffiths11 has there been any progress regarding this?

I’m working on an open source tool which I’d like to keep fully under Github just to minimize the maintenance scope, but this needing to authenticate to download even publicly released packages simply adds back to maintenance cost to myself and then cause extra cost to anybody using automated deploys that depend on my tool (since we would have to make sure that these automated processes somehow login to Github npm registry, just writing it reads highly inefficient and error-prone).

For the record, I used npm publish --access public, still no dice downloading the package without login :frowning:

2 Likes

Hey @jeanlescure apologies for the delay, let me check up on this and get back to you ASAP.

1 Like

Sooo… any update? Almost 5 months since “get back to you ASAP”