Why do public packages need authentication?

I’ve recently published a public package in github npm registry - https://github.com/flamy-dev/cornerstoneWebImageLoader/packages/297934. I added this to a repo, and the CI was unable to build because it needed authentication for accessing the repo.

@flamy-dev:registry=https://npm.pkg.github.com⏎

Added this to .npmrc as well

yarn error message:

error An unexpected error occurred: "https://npm.pkg.github.com/download/@flamy-dev/cornerstone-web-image-loader/2.1.1/440e376405ba5a0303c61d6d2045e67aac9f257d8f7489a49ef9123438c5ed2e: Request failed \"401 Unauthorized\"".

Hi @meetmangukiya,

Unfortunately, you need to use a PAT with the read:packages scope to access packages associated with a public repository.

If you want developers to be able to clone and build your project without generating their own PAT, you can create a .npmrc file at the root of your repository like this:

@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken="\u003c\u0052\u0045\u0041\u0044\u005f\u0050\u0041\u0043\u004b\u0041\u0047\u0045\u0053\u005f\u0054\u004f\u004b\u0045\u004e\u003e"

@OWNER is your GitHub username and _authToken is a PAT with the read:packages scope. It is encoded so that GitHub won’t automatically delete the PAT when it’s pushed to a public repository.

If you have Docker installed, you can generate the .npmrc file like this:

docker run jcansdale/gpr encode <READ_PACKAGES_TOKEN>

I hope that helps!

So, basically publish my own token? However, this still doesn’t allow people to add this package as dependency and be able to build their project without a token, right?

@meetmangukiya,

However, this still doesn’t allow people to add this package as dependency and be able to build their project without a token, right?

Right. Packages are only accessible to GitHub accounts via a PAT, they’re not completely public. They’re really geared towards private dependencies not public dependencies (like npmjs.com or NuGet.com is).

You might want to use them for dependencies between repositories, when a package isn’t ready to be published to a public repository yet.

Does that make sense?

1 Like