npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Can’t install scoped packages – E401 Unauthorized

We have been having similar issues all day with our Docker CI builds as well. A bit of digging, and we determined that one of our processes was nefariously writing the following line into the container’s .npmrc file:

always-auth = true

Removing this line seemed to have done the trick!

So, how did these tokens go invalid?

Might it be that they’ve been invalid since the event a few months ago, but since they were being used in requests that didn’t need auth, their invalid status was ignored by the API?

There is an issue with yarn as well:

A buddy sitting next to me was able to install the same package with npm@5 while not logged in.

In the npm chat, @fharper said “We made architectural changes that return 401 with invalid token even if the action didn’t require you to be logged”

This suggests that npm@6 is sending an invalid token while trying to install user-scoped packages while not logged in, while npm@5 is not sending a token in that same case.

I’m curious if npm whoami returns a value for you.

That being said, logging out and logging back in should do the trick. This looks like a case of a bad token.

Okay, strangely… Though I have never npm login, I did so. I was able to install the public scoped package. I then npm logout, and I was able to install the same package.

Wondering why this happened at all?! I’ve been using npm for years, never logged in once and never saw anything like this before. :thinking:

Thanks for your help!

 > npm logout
npm ERR! Unable to authenticate, need: Basic, Bearer

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/mikol/.npm/_logs/2018-11-28T06_58_41_076Z-debug.log

I am getting a similar error for npm audit.

Debug log

7 http fetch POST 401 187ms
8 verbose stack Error: Unable to authenticate, need: Bearer
8 verbose stack     at res.buffer.catch.then.body (/usr/local/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:89:17)
8 verbose stack     at <anonymous>
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:188:7)

npm audit works if I delete the token from the .npmrc file.

I worked through the issue with @fharper’s help.

When this error happens, it’s not because you are not logged in - it is because you were logged in at some point in the past, but the locally-stored auth token is expired/invalid.

If you run into this error, you probably don’t even have to npm login in order to install the package - you just need to npm logout to clear the bad token.

Hmm, that’s strange. I have also the issue, but told me all things are OK.


npm logout and npm login made that fixing magic.

I have had exactly the same issue - I’ve never logged in as everything I use or publish is public. Unable to access scoped packages.

Not sure this is the only reason, our docker image for our build process never logs in. I also just did a npm logout, yarn logout and I still get the 401’s . @fharper

As this has already been resolved (please see this reply: Can’t install scoped packages – E401 Unauthorized), I’m gonna lock this to prevent the answer from getting buried and/or folks getting confused. If you have new or recurring issues in spite of the solution, please start a new topic.

I have the same with npm audit - Is this something related to the vulnerabilities found with event-stream this week? I’ve revoked all my tokens, created new ones and our CI server is still having issues to run npm audit

here is what happened:

I’m unable to reproduce the issue with an anonymous user or with a new token. I don’t seem to have any machines that were previously logged in

Unfortunately, this is not working for us. Our CI is docker-based and the images doesn’t have any reference of the user owning the token. The simple presence of it would be enough to guarantee that we can interact with NPM servers. I can also confirm that this issue is not limited to npm audit as we can’t install our own private (scoped) packages as well.

I don’t believe that I have ever signed in from the CLI…

 > npm whoami
npm ERR! Unable to authenticate, need: Basic, Bearer

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/mikol/.npm/_logs/2018-11-28T06_54_48_496Z-debug.log

And I’m not sure how I’d sign out.

The scoped packages I am trying to install are public, if that makes a difference.

Looks like we have a workaround, but this is still an issue. I’ve never had to log in to download public scoped packages in the past.

I observed this as well.

I attempted to install a public user-scoped package with npm@6.4.1 while not logged in, and got a 401.

After logging in, the same install command completed without any errors.

What I Wanted to Do

npm install --save-dev @babel/helper-module-imports

What Happened Instead

npm ERR! code E401
npm ERR! 401 Unauthorized: @babel/helper-module-imports@latest

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/mikol/.npm/_logs/2018-11-28T00_23_06_962Z-debug.log

Reproduction Steps

This seems to be a problem with scoped (@…/…) packages, not others.


0 info it worked if it ends with ok
1 verbose cli [ '/Users/mikol/.nvm/versions/node/v9.8.0/bin/node',
1 verbose cli   '/Users/mikol/.nvm/versions/node/v9.8.0/bin/npm',
1 verbose cli   'install',
1 verbose cli   '--save-dev',
1 verbose cli   '@babel/helper-module-imports' ]
2 info using npm@6.4.1
3 info using node@v9.8.0
4 verbose npm-session a53b71997cb98b00
5 silly install loadCurrentTree
6 silly install readLocalPackageData
7 http fetch GET 401 239ms
8 silly fetchPackageMetaData error for @babel/helper-module-imports@latest 401 Unauthorized: @babel/helper-module-imports@latest
9 timing stage:rollbackFailedOptional Completed in 1ms
10 timing stage:runTopLevelLifecycles Completed in 1512ms
11 verbose stack Error: 401 Unauthorized: @babel/helper-module-imports@latest
11 verbose stack     at fetch.then.res (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/pacote/lib/fetchers/registry/fetch.js:42:19)
11 verbose stack     at tryCatcher (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
11 verbose stack     at Promise._settlePromiseFromHandler (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:512:31)
11 verbose stack     at Promise._settlePromise (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:569:18)
11 verbose stack     at Promise._settlePromise0 (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:614:10)
11 verbose stack     at Promise._settlePromises (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:693:18)
11 verbose stack     at Async._drainQueue (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:133:16)
11 verbose stack     at Async._drainQueues (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:143:10)
11 verbose stack     at Immediate.Async.drainQueues [as _onImmediate] (/Users/mikol/.nvm/versions/node/v9.8.0/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
11 verbose stack     at runCallback (timers.js:763:18)
11 verbose stack     at tryOnImmediate (timers.js:734:5)
11 verbose stack     at processImmediate (timers.js:716:5)
12 verbose cwd /Users/mikol/src/com/styra/ui
13 verbose Darwin 16.7.0
14 verbose argv "/Users/mikol/.nvm/versions/node/v9.8.0/bin/node" "/Users/mikol/.nvm/versions/node/v9.8.0/bin/npm" "install" "--save-dev" "@babel/helper-module-imports"
15 verbose node v9.8.0
16 verbose npm  v6.4.1
17 error code E401
18 error 401 Unauthorized: @babel/helper-module-imports@latest
19 verbose exit [ 1, true ]

Platform Info

$ npm --versions
{ 'styra-ui': '0.0.0',
  npm: '6.4.1',
  ares: '1.13.0',
  cldr: '32.0.1',
  http_parser: '2.7.0',
  icu: '60.2',
  modules: '59',
  napi: '2',
  nghttp2: '1.29.0',
  node: '9.8.0',
  openssl: '1.0.2n',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.46-node.21',
  zlib: '1.2.11' }
$ node -p process.platform

This also happens in all our Travis builds during npm audit. Seems to be related.

How would I resolve this for Node 6?

My understanding is the version of npm bundled with Node 6 is v3.. - which doesn’t support Auth tokens.

So npm login wouldn’t generate a new token?

Someone on my team reported a similar issue and said that npm logout/npm login fixed it for him. I haven’t had a chance to confirm, but hopefully that gets you unstuck until someone at npm can investigate.