npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm dist-tag add with 2FA enabled fails for non-latest tag with 500

According to the CLI docs for dist-tag:

If the tag you’re adding is latest and you have two-factor authentication on auth-and-writes then you’ll need to include an otp on the command line with --otp .

However, I just attempted to update my next tag without passing --otp <OTP>, and it failed with a 500. I’d be happy to make a PR to the docs, but I wanted to make sure I understood the rule here. Did this fail because it was updating an existing tag, rather than adding a new tag? I looked through the npm-registry-client code, and I didn’t find the business logic there, but if there is some other place I can look to derive the proper rule, I’d be happy to write something up.

Thanks npm team for being awesome!


This seems to have been an intermittent server issue. At least, I can’t reproduce it. I get 401’s when doing what you described:

npm ERR! code E401
npm ERR! Registry returned 401 for PUT on https://registry.npmjs.org/-/package/aproba/dist-tags/latest

To be clear, you can specify an existing tag and it’ll change it. If you have 2FA enabled, you do need to specify --otp and if you don’t, you should get a 401 as above.


Awesome, thanks for the clarification Rebecca! So maybe the docs should read:

If you have two-factor authentication on auth-and-writes then you’ll need to include a one-time password on the command line with --otp <one-time password> .

Does that capture the rule correctly?


Yup, looks good! :+1: