Comments (2)
#538 (comment) captures most of the reasoning behind the decision. nexus continuing to support only legacy auth is new information and their current documentation appears to confirm, but is likely not enough to cause us to reverse our decision.
personally, using a registry that continues to require the use of a password would make me question its approach to authorization since it prevents the ability to reduce the level of access granted when leaked. i understand that recommending a registry switch is not a small task, but i would at least consider this a variable to consider when weighing continued use into the future. short of that, the best i can suggest is to continue use of the previous major version of the npm plugin, which has been stable for some time. however, we have no plans to continue maintenance of that version.
from npm.
I respect your decision but it is not always possible to switch out the registry within a company because it is used for other repositories besides npm and used by multiple departments.
I just want to simply add a workaround I implemented for our GitLab CI that doesn't require any changes in the plugin:
Based on the documentation we generate the base64 encoded string and store it in a Variable (Repository Settings > CI/CD)
In the pipeline configuration we update the npm config before executing semantic-release:
publish:
script:
- npm config set //nexus.url/repository/npm-private/:_auth=$NPM_TOKEN
# not sure if this is needed, but to be safe we remove the token so the plugin doesn't pick it up
- unset NPM_TOKEN
- npx semantic-release
The way I understand it, the plugin will pick up the existing //nexus.url/repository/npm-private/:_auth
config and skip appending the token itself.
I hope this helpful for some poor soul. :)
from npm.
Related Issues (20)
- HIGH SEVERITY security problem CVE-2021-3795 (semver-regex and find-versions) HOT 3
- You cannot publish over the previously published versions
- Provide a better error message in case of an E400 bad request without further explanation from npm
- semantic-release/npm forced npm version in scripts HOT 2
- Why is `npm version` used to set the version? HOT 1
- Add support for npm v9 HOT 7
- `prepack` run twice when set `tarballDir` HOT 1
- npm publish looks for package.json at disk root HOT 3
- Incompatible with Yarn (Berry) HOT 1
- a `Cannot read properties of null (reading 'matches'` error when using multi-semantic-release HOT 8
- Use clean-publish
- fix vulnerability with http-cache-semantics <4.1.0 HOT 4
- pkgRoot property not working HOT 1
- Provenance support not working? HOT 1
- npm whoami failing HOT 3
- `package.json` version not updated, despite correct plugin ordering HOT 1
- Set --no-workspaces with npm version HOT 2
- Command failed with exit code 1: npm version 0.22.2 --userconfig HOT 2
- error on publishing HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from npm.