[BUG] publish with workspaces doesn't respect access controls #7199
Description
Is there an existing issue for this?
It looks like this is the same issue as #3268, although the error I'm getting is different, and it appears that the fix in 4a4fbe3 is specific to the error.
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
I am trying to use workspaces where a number of the packages should not be published (they have "private": true in their package.json). I would like to run a single command that publishes all of the non-private packages. I was hoping this would work:
npm publish --workspacesWhen I try this, I get this error:
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to https://registry.npmjs.org/
npm ERR! need auth You need to authorize this machine using `npm adduser`
I found #3268 and was hoping that #3285 might have addressed the issue, but it that fix was specific to the EPRIVATE error code. In this case I am seeing ENEEDAUTH.
Expected Behavior
I was hoping that npm publish --workspaces could be used to publish all workspace packages except those that have "private": true in their package.json.
Steps To Reproduce
- create a package with two workspaces, one named
do-not-publishand one named@example/package - in the
package.jsonfor thedo-not-publishpackage, add"private": true - run
npm logout && npm login --registry=https://npm.pkg.github.com --scope=@example - run
npm publish --workspaces - See
npm ERR! code ENEEDAUTH
It looks like the ENEEDAUTH error is thrown for the do-not-publish package even though it includes "private": true. I assume this only happens when the user is not already authenticated with the default registry. In my case, it is occurring in a CI job where an auth-token is only provided for a non-default registry (where the scoped packages are published).
Environment
- npm: 10.2.4
- Node.js: 21.5.0