npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Install of @privatescoped/package fails with 404

What I Wanted to Do

Install a package from my organisation’s private repo. npm i @myprivatescope/test-library

What Happened Instead

It fails with 404, as if authentication is not passed with the npm install command

Reproduction Steps

Login (and verify token in web interface):

    >  npm login
    Logged in as profpylons to scope @myprivatescope on
    >   cat ~/.npmrc

Create & Publish a package:

    >  mkdir test-library
    >  cd test-library

    >  npm init -y
    Wrote to /Users/paullyons/projects/temp/test-library/package.json:

      "name": "@myprivatescope/test-library",

    >  npm publish
    npm notice
    npm notice 📦  @myprivatescope/test-library@1.0.0
    npm notice === Tarball Contents ===
    npm notice 243B package.json
    npm notice === Tarball Details ===
    npm notice name:          @myprivatescope/test-library
    npm notice version:       1.0.0
    npm notice package size:  268 B
    npm notice unpacked size: 243 B
    npm notice shasum:        b2826420fcc979e7eaa0f12d9f83d0d271994ff4
    npm notice integrity:     sha512-s4Ft+21ZGAdv9[...]fQaMurgNTc3ig==
    npm notice total files:   1
    npm notice
    + @myprivatescope/test-library@1.0.0

Verify the package:

    >  npm info @myprivatescope/test-library
    @myprivatescope/test-library@1.0.0 | ISC | deps: none | versions: 1

    .shasum: b2826420fcc979e7eaa0f12d9f83d0d271994ff4
    .integrity: sha512-s4Ft+21ZGAdv9f69ja2FrcvpOl/zR4uOBFUSCATEDSHACm2J5HW0jsAIVudPo/DfQaMurgNTc3ig==
    .unpackedSize: 243 B

    - profpylons <paul@someemailaddress.zz>

    latest: 1.0.0

    published just now by profpylons <paul@someemailaddress.zz>

Try to use the package:

    >  cd ..
    >  mkdir test-app
    >  cd test-app

    >  npm init -y
    Wrote to /Users/paullyons/projects/temp/test-app/package.json:

    >  npm i --save @myprivatescope/test-library
    npm WARN @myprivatescope/test-app@1.0.0 No description
    npm WARN @myprivatescope/test-app@1.0.0 No repository field.

    npm ERR! code E404
    npm ERR! 404 Not Found - GET
    npm ERR! 404
    npm ERR! 404  '@myprivatescope/test-library@latest' is not in the npm registry.
    npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
    npm ERR! 404 It was specified as a dependency of 'test-app'
    npm ERR! 404
    npm ERR! 404 Note that you can also install from a
    npm ERR! 404 tarball, folder, http url, or git url.

    npm ERR! A complete log of this run can be found in:
    npm ERR!     /Users/paullyons/.npm/_logs/2019-07-23T13_54_31_186Z-debug.log


I’ve reviewed various github issues and the issues in this forum, which has led to checking and refreshing access tokens, republishing the package, checking the package in the the web interface. Everything look to be in order…

I’m assuming this is a misconfiguration somewhere, but I haven’t yet found anything else to change via the documentation.

Platform Info

OSX Mojave.

>  npm --versions
{ temp: '1.0.0',
  npm: '6.10.2',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  modules: '64',
  napi: '4',
  nghttp2: '1.34.0',
  node: '10.16.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '',
  zlib: '1.2.11' }

OK, I figured it out with a fresh install on a VM. The problem is the initial registry= in .npmrc. Once I delete this line the scope works as expected.


>   cat ~/.npmrc

Does not work

>   cat ~/.npmrc

I can only assume this was left over from some old client where they had the public npm registry and a private nexus registry.

I hope this helps someone in the future.

The registry url should probably be (not .com). I’m not sure if that’s causing an issue, but it jumps out at me as weird.

Second, is that the actual first bit of your auth token? I see that you obscured the last bit, but since you shared the first 4 chars, and the middle bits, it means that someone would only have to guess a few characters to get the rest, if they saw the first4 ... last4 obscured version that the website shows. So, if that’s your actual token, please go to and revoke the one starting with 0032.

Yes that’s it! .org works.

I wonder how the CLI worked with the “wrong” registry line for the last few months… However, it did and it works again now. So I’m a happy camper!

ps. Thanks for the reminder about the token, it was revoked before posting :slight_smile: