NPM public packages can't be accessed without a token #33875
Replies: 6 comments
-
I want to chime in as I am experiencing the same issue. We are publishing our component library as an NPM package in the GitHub registry. Having to configure the PAT hinder developer experience, specially when your package does not need to be private or requires authentication to be consumed. I would be curious to know as well if this access gate is by design and is never going to change. So that we can take the decision to create an organisation in NPM and publish our package there. Thanks so much! |
Beta Was this translation helpful? Give feedback.
-
We just ran into the same issue - some of our our npm's are only containing glue code (which is quite common when you develop for WebAssembly and all the IP is in the wasm binary). It would be very useful to access these npm's without token. |
Beta Was this translation helpful? Give feedback.
-
In reality it is way trickier:
This is quite unfortunate, I think GitHub really needs to fix it. Hopefully I will eventually write an in-depth blog post about this. |
Beta Was this translation helpful? Give feedback.
-
Not being able to install public npm packages from the Github registry without creating a personal access token makes it entirely unusable for a lot of normal use-cases... I wish they would fix this bug. |
Beta Was this translation helpful? Give feedback.
-
With the recent release of JSR, I think this issue deserves some attention. JSR has some interesting ideas that GitHub Packages could consider borrowing if it wants to become a serious contender. Obviously, JSR packages are publicly installable without auth. Still, JSR is an independent registry with different packages names from the NPM registry. For compatibility with NPM, all JSR packages are hosted under the Another thing worth mentioning is the idea of "upstream sources" which Azure Artifacts uses. If GitHub Packages wants to allow mixing-and-matching of packages from the same scope hosted on different registries, this could be a good solution. |
Beta Was this translation helpful? Give feedback.
-
This has posed as a problem for our org and we are now forced to publish to npmjs instead of the GitHub npm registry so packages can be truly public (accessible as anonymous). |
Beta Was this translation helpful? Give feedback.
-
Container images can apparently be made public, and accessed anonymously:
https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility
However a NPM package cannon:
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry#authenticating-to-github-packages
This is quite confusing and counter intuitive. Why can't public NPM packages be accessed without authentication? Is this a problem of conflicting docs? I've spent a considerable amount of time trying to install a package from the NPM Github registry on a public package, but constantly got an error about missing auth token.
Am I doing something wrong, or is this by design?
Beta Was this translation helpful? Give feedback.
All reactions