Publish fails with 403 after update from lerna v3 to v5

[rbirkgit]

Current Behavior

On our pipeline we build and publish our updated packages. We have been using lerna v3.22.1 for some time. It's working fine. Tried updating to v5.1.6 and now the publishing fails. Did not do any other changes other than updating the version of lerna.

Are there any known breaking changes we should be aware of? Something else I should have updated?

Edit: Still fails with Lerna v6.4.1 with same error.

Expected Behavior

I expect to still be able to publish our packages with updated lerna. This worked fine with lerna v3.

Steps to Reproduce

This is the relevant part of our groovy script:

curl -u$artifactoryUser:$artifactoryPassword https://build-artifactory.xxx.com/artifactory/api/npm/auth >> ~/.npmrc
yarn run lerna publish --yes

Failure Logs / Configuration

Log with lerna v5:

Changes:
 - @cmbu/browserstack: 13.0.0-lerna => 13.0.0-lerna.0
 - @cmbu/eslint-plugin: 13.0.0-lerna => 13.0.0-lerna.0
 - @cmbu/karma-commons: 13.0.0-lerna => 13.0.0-lerna.0
 - @cmbu/ui-sdk: 13.0.0-lerna => 13.0.0-lerna.0

lerna info auto-confirmed 
lerna info execute Skipping releases
lerna info git Pushing tags...
lerna WARN gitPush Warning: Identity file /home/jenkins/.ssh/bellevue-ci not accessible: No such file or directory.
lerna WARN gitPush Warning: Permanently added '[bellevue-ci-gerrit.xxx.com]:29418,[10.198.88.148]:29418' (ECDSA) to the list of known hosts.
lerna WARN gitPush fatal: the receiving end does not support --atomic push
lerna info gitPush --atomic failed, attempting non-atomic push
lerna info publish Publishing packages to npm...
lerna notice Skipping all user and access validation due to third-party registry
lerna notice Make sure you're authenticated properly ¯\_(ツ)_/¯
lerna WARN ENOLICENSE Packages @cmbu/browserstack, @cmbu/conventional-changelog-gerrit, @cmbu/eslint-plugin, and @cmbu/karma-commons are missing a license.
lerna WARN ENOLICENSE One way to fix this is to add a LICENSE.md file to the root of this repository.
lerna WARN ENOLICENSE See https://choosealicense.com for additional guidance.
lerna http fetch PUT 403 https://build-artifactory.xxx.com/artifactory/api/npm/npm-local/@cmbu%2feslint-plugin 149ms
lerna ERR! E403 forbidden
script returned exit code 1[CheckStyle] Skipping execution of recorder since overall result is 'FAILURE'
Recording test results

For comparison, with lerna v3:

Changes:
 - @cmbu/browserstack: 13.0.2 => 13.0.3
 - @cmbu/eslint-plugin: 13.0.4 => 13.0.5
 - @cmbu/karma-commons: 13.0.3 => 13.0.4
 - @cmbu/ui-sdk: 13.0.6 => 13.0.7

lerna info auto-confirmed 
lerna info execute Skipping releases
lerna info git Pushing tags...
lerna WARN gitPush Warning: Identity file /home/jenkins/.ssh/bellevue-ci not accessible: No such file or directory.
lerna WARN gitPush Warning: Permanently added '[bellevue-ci-gerrit.xxx.com]:29418,[10.198.88.148]:29418' (ECDSA) to the list of known hosts.
lerna WARN gitPush fatal: the receiving end does not support --atomic push
lerna WARN gitPush 
lerna info gitPush --atomic failed, attempting non-atomic push
lerna info publish Publishing packages to npm...
lerna notice Skipping all user and access validation due to third-party registry
lerna notice Make sure you're authenticated properly ¯\_(ツ)_/¯
lerna WARN ENOLICENSE Packages @cmbu/browserstack, @cmbu/eslint-plugin, and @cmbu/karma-commons are missing a license.
lerna WARN ENOLICENSE One way to fix this is to add a LICENSE.md file to the root of this repository.
lerna WARN ENOLICENSE See https://choosealicense.com for additional guidance.
lerna success published @cmbu/eslint-plugin 13.0.5
lerna notice 
lerna notice 📦  @cmbu/eslint-plugin@13.0.5
lerna notice === Tarball Contents === 
lerna notice 645B  index.js                  
lerna notice 2.4kB rules/no-barrel-imports.js
lerna notice 832B  package.json              
lerna notice 3.5kB CHANGELOG.md              
lerna notice 2.5kB package.tgz               
lerna notice === Tarball Details === 
lerna notice name:          @cmbu/eslint-plugin                     
lerna notice version:       13.0.5                                  
lerna notice filename:      cmbu-eslint-plugin-13.0.5.tgz           
lerna notice package size:  5.5 kB                                  
lerna notice unpacked size: 9.9 kB                                  
lerna notice shasum:        6c05c9d41dbd756f0bb5543d6c70473946a23799
lerna notice integrity:     sha512-xBUo3coJmz3fD[...]v3Jvcb5Gg6QXw==
lerna notice total files:   5                                       
lerna notice 
lerna http fetch PUT 201 https://build-artifactory.xxx.com/artifactory/api/npm/npm-local/@cmbu%2feslint-plugin 549ms

It seems with v5 it no longer package the files and maybe that's why it fails the publish? Not sure what else to look for in regards to error logs or other issues?

Environment

+ node -v
v14.15.4
+ yarn -v
3.1.1
+ lerna -v
5.1.6

[rbirkgit]

Our lerna.json file:

{
  "lerna": "2.9.1",
  "npmClient": "yarn",
  "useWorkspaces": true,
  "version": "independent",
  "conventionalCommits": true,
  "changelogPreset": "@cmbu/gerrit",
  "registry": "https://build-artifactory.xxx.com/artifactory/api/npm/npm/",
  "rejectCycles": true,
  "command": {
    "publish": {
      "registry": "https://build-artifactory.xxx.com/artifactory/api/npm/npm-local",
      "message": "chore(release): release new version\n\nNew releases are available for the following packages:"
    }
  }
}

[rbirkgit]

Add silly loglevel:

lerna info git Pushing tags...
lerna sill gitPush origin lerna
lerna WARN gitPush Warning: Identity file /home/jenkins/.ssh/bellevue-ci not accessible: No such file or directory.
lerna WARN gitPush Warning: Permanently added '[bellevue-ci-gerrit.xxx.com]:29418,[10.198.88.148]:29418' (ECDSA) to the list of known hosts.
lerna WARN gitPush fatal: the receiving end does not support --atomic push
lerna info gitPush --atomic failed, attempting non-atomic push
lerna info publish Publishing packages to npm...
lerna notice Skipping all user and access validation due to third-party registry
lerna notice Make sure you're authenticated properly ¯\_(ツ)_/¯
lerna sill getCurrentSHA 
lerna verb getCurrentSHA b7fccfb9ac74fee7d96c8403ba239fe1babf185c
lerna sill lifecycle No script for "prepublish" in "cmbu-ui-sdk-publish", continuing
lerna sill lifecycle No script for "prepare" in "cmbu-ui-sdk-publish", continuing
lerna sill lifecycle No script for "prepublishOnly" in "cmbu-ui-sdk-publish", continuing
lerna sill lifecycle No script for "prepack" in "cmbu-ui-sdk-publish", continuing
lerna verb pack-directory packages/ui-sdk
lerna sill lifecycle No script for "prepublish" in "@cmbu/ui-sdk", continuing
lerna sill lifecycle No script for "prepare" in "@cmbu/ui-sdk", continuing
lerna sill lifecycle No script for "prepublishOnly" in "@cmbu/ui-sdk", continuing
lerna sill lifecycle No script for "prepack" in "@cmbu/ui-sdk", continuing
lerna sill lifecycle No script for "postpack" in "@cmbu/ui-sdk", continuing
lerna verb packed packages/ui-sdk
lerna sill lifecycle No script for "postpack" in "cmbu-ui-sdk-publish", continuing
lerna verb publish @cmbu/ui-sdk
lerna http fetch PUT 403 https://build-artifactory.xxx.com/artifactory/api/npm/npm-local/@cmbu%2fui-sdk 79ms
lerna sill HttpErrorGeneral: 403 Forbidden - PUT https://build-artifactory.xxx.com/artifactory/api/npm/npm-local/@cmbu%2fui-sdk - forbidden
lerna sill     at /jenkins/workspace/cmbu-ui-sdk-publish/node_modules/libnpmpublish/node_modules/npm-registry-fetch/check-response.js:95:15
lerna sill     at processTicksAndRejections (internal/process/task_queues.js:93:5)
lerna sill     at async publish (/jenkins/workspace/cmbu-ui-sdk-publish/node_modules/libnpmpublish/publish.js:43:12)
lerna sill     at async /jenkins/workspace/cmbu-ui-sdk-publish/node_modules/p-pipe/index.js:12:19
lerna sill     at async run (/jenkins/workspace/cmbu-ui-sdk-publish/node_modules/p-queue/dist/index.js:163:29)
lerna sill  HttpErrorGeneral: 403 Forbidden - PUT https://build-artifactory.xxx.com/artifactory/api/npm/npm-local/@cmbu%2fui-sdk - forbidden
lerna sill     at /jenkins/workspace/cmbu-ui-sdk-publish/node_modules/libnpmpublish/node_modules/npm-registry-fetch/check-response.js:95:15
lerna sill     at processTicksAndRejections (internal/process/task_queues.js:93:5)
lerna sill     at async publish (/jenkins/workspace/cmbu-ui-sdk-publish/node_modules/libnpmpublish/publish.js:43:12)
lerna sill     at async /jenkins/workspace/cmbu-ui-sdk-publish/node_modules/p-pipe/index.js:12:19
lerna sill     at async run (/jenkins/workspace/cmbu-ui-sdk-publish/node_modules/p-queue/dist/index.js:163:29) {
lerna sill   headers: [Object: null prototype] {
lerna sill     date: [ 'Fri, 01 Jul 2022 16:12:18 GMT' ],
lerna sill     'content-type': [ 'application/json' ],
lerna sill     'transfer-encoding': [ 'chunked' ],
lerna sill     'x-jfrog-version': [ 'Artifactory/7.33.12 73312900' ],
lerna sill     'x-artifactory-id': [ 'ff95bf5863ecf9056e9b8d2af27b3449fffba64b' ],
lerna sill     'x-artifactory-node-id': [ 'bldartf-prd-sc-3.xxx.com' ],
lerna sill     'x-fetch-attempts': [ '1' ]
lerna sill   },
lerna sill   statusCode: 403,
lerna sill   code: 'E403',
lerna sill   method: 'PUT',
lerna sill   uri: 'https://build-artifactory.xxx.com/artifactory/api/npm/npm-local/@cmbu%2fui-sdk',
lerna sill   body: {
lerna sill     error: 'forbidden',
lerna sill     reason: "Cannot deploy to '@cmbu/ui-sdk/-/@cmbu/ui-sdk-13.0.0-lerna.10.tgz"
lerna sill   },
lerna sill   pkgid: '@cmbu/ui-sdk@13.0.0-lerna.10'
lerna sill }
lerna ERR! E403 forbidden

[rbirkgit]

Downgraded to lerna 3.22 and everything works again. I don't understand how publishing to npm could be affected by this? I guess lerna code goes directly to artifactory and not using the npm binary? And the code changed and authentication is not retrieved the same way as it used to with 5.x?

[rbirkgit]

I tried adding --no-verify-access and no difference. Still 403 with lerna 5. Worked with lerna 3.

yarn run lerna publish --yes --no-verify-access

[rbirkgit]

I am assuming we should stay with lerna 3 as v5 is not working properly?

[klutzer]

Having the same issue here after upgrade to v5

[klutzer]

Same issue on v4 as well, so probably isn't related to some recent bug

[rbirkgit]

Tried the newly released lerna 5.2 and still not working.

+ yarn run lerna publish --yes
lerna notice cli v5.2.0
lerna info versioning independent
lerna info ci enabled
lerna info Looking for changed packages since @cmbu/ui-sdk@13.0.0-lerna.16
lerna info getChangelogConfig Auto-prefixing conventional-changelog preset "@cmbu/gerrit"
lerna info getChangelogConfig Successfully resolved preset "@cmbu/conventional-changelog-gerrit"

Changes:
 - @cmbu/ui-sdk: 13.0.0-lerna.16 => 13.0.0-lerna.17

lerna info auto-confirmed 
lerna info execute Skipping releases
lerna info git Pushing tags...
lerna info publish Publishing packages to npm...
lerna notice Skipping all user and access validation due to third-party registry
lerna notice Make sure you're authenticated properly ¯\_(ツ)_/¯
lerna http fetch PUT 403 https://build-artifactory.eng.xxx.com/artifactory/api/npm/npm-local/@cmbu%2fui-sdk 311ms
lerna ERR! E403 forbidden

[bwknight877]

I'm having the exact same issue as @rbirkgit using Lerna 5.2.0

lerna http fetch PUT 403 https://artifactory.ci.corp.xxx.com/artifactory/api/npm/xxx-npm-local/@foo%2fbar 27ms
lerna ERR! E403 forbidden
error Command failed with exit code 1.

I originally thought the artifactory URL was incorrect in our previous builds, but I'm running the correct npm config commands just before the lerna publish command now:

npm config set registry https://artifactory.ci.corp.xxx.com/artifactory/api/npm/foo-npm
npm config set @foo:registry https://artifactory.ci.corp.xxx.com/artifactory/api/npm/foo-npm-local
yarn lerna publish from-package --yes

[JamesHenry]

I don't have access to a hosted private registry such as artifactory in order to try and directly reproduce. I have instead been attempting to reproduce using a locally running verdaccio, but so far not been able to.

I wonder if there is some overlap in the comment here: npm/cli#2508 (comment)

Inside of lerna a lot of packages maintained by the npm team are used, and if users were having issues with private auth in later versions of npm's tools maybe we are hitting the same points from different angles?

Would somebody mind please taking a look at that thread (particularly that comment) and seeing if there are things which can be applied to the lerna publish case?

[JamesHenry]

Additionally, if someone who is running into this issue can figure out a way to reproduce the behaviour using https://github.com/verdaccio/verdaccio instead of their real private registry that would be so, so helpful! 🙏

[bwknight877]

it looks like you might be able to get a cloud hosted instance of Artifactory for $free to test against
https://jfrog.com/pricing/#sass

[rbirkgit]

Looks like they also have free 30 day trial for self hosting:
https://jfrog.com/start-free

[bwknight877]

I can't say with any certainty that just using artifactory will reproduce the problem, it may also be how our IT has created the auth token with Artifactory and set it up in GHA, and set up that auth token in npm/yarn

[fabioscsilva]

I had the exact same issue using Lerna 5.2.0 and 5.3.0

lerna http fetch PUT 403 lerna http fetch PUT 403 https://artifactory-prd.xxx.com/artifactory/api/npm/npm/package-XX 50ms
lerna ERR! E403 forbidden
error Command failed with exit code 1.

And following the @JamesHenry comment regarding this NPM issue, we solved our problem changing our .npmrc from:

registry = https://artifactory-prd.xxx.com/artifactory/api/npm/npm/
_auth=$MyToKen

to

registry = https://artifactory-prd.xxx.com/artifactory/api/npm/npm/
//artifactory-prd.xxx.com/artifactory/api/npm/npm/:_auth = $MyToken

[JamesHenry]

That's huge, thank you for confirming that @fabioscsilva!

@bwknight877 @rbirkgit @klutzer please can you try the same thing?

[rbirkgit]

Getting the same issue. This is my new .npmrc file

registry=https://build-artifactory.eng.xxx.com/artifactory/api/npm/npm/
//build-artifactory.eng.xxx.com/artifactory/api/npm/npm/:_auth = c3ltcGhvbnktZGVwbG95ZXI6QVA0NXN5OGZhN01kRTI3ZEdadTZ0RDNNdEE4
always-auth = true
email = stan@xxx.com

[Wvduijn]

Also here same issue while trying to publish to artifactory registry even after having applied above suggestions.
Issue only occured after having updated from V3 to V5 to make use of the advantages of NX.

With exact same config everything is working fine with version 3.

Any update or clue on why this is happening?

Found 1 package to publish:
- @my-scoped-packages/example-feat => 0.8.13
lerna info auto-confirmed 
erna info publish Publishing packages to npm...
Skipping all user and access validation due to third-party registry
lerna notice Make sure you're authenticated properly ��\_(���)_/��
lerna ERR! E403 forbidden

script returned exit code 1`
```

[jackfarzan]

Linking this issue since it seems identical #2730

Have spent three days on this and tried every solution I could find, including the ones in this thread, with no success. Will have to manually publish all my packages until there is a fix.

[weiwei]

@fabioscsilva 's config works for me. Also I didn't set always-auth, and my _auth is set with npm config and it expands to two user/password entries.

[rbirkgit]

I just tried Lerna 6.4.1 and still get:

lerna ERR! E403 forbidden

What can we do to get this fixed? We are stuck with lerna v3 and cannot update.

[tevey]

We had the same issue when upgrading from lerna 4 to 6 running node 14 and npm 6. But after we upgraded to Node 18 and npm 8 it works fine to publish to our private artifactory with lerna 6.

[rbirkgit]

I tried updating to Node 18, but no luck still getting the same error:

lerna ERR! E403 forbidden

I guess many of us will forever be stuck with lerna v3. Boo! Lerna v4 broke it, and v5 and v6 still have the same issue. I wish we could revert that part so we can update.

[rbirkgit]

I finally got the update to work after years of trying!

I did the following things:

• Update to Node 18.14 (that comes with npm 9)
• Run npm config fix after getting auth from artifactory (new command with npm 9)
• Make sure every path to artifactory in package.json, lerna.json etc are the same and ends with a /. This is CRITICAL. In our lerna.json file we had a missing ending /

Just like that, three years later I got it working! And now we can use lerna 6.5.1 (dancing emoji)

It would be nice if the error handling could be improved. I discovered this when we tried publishing manually with npm 9 directly to our artifactory and it kept failing with "user not authenticated" error, even though I was. Finally added the ending / and it works. Same bad error.

[imguolao]

Got the same error.

[kadarbasha]

My observation is that how is the auth picked. One of the suggestions would be add auth specific to registry along with _auth.

// .npmrc file
always-auth=true
_auth=(key)
//(registry:_auth)=(key)