Skip to content

Commit b53c9fa

Browse files
angela-zhangclaude
andauthored
libraries/javascript: fix pnpm auth for upstream-fallback packages (#3445)
## What Scopes a small fix to the **pnpm** section of the JavaScript build-configuration docs so direct-access auth works for packages served through the upstream fallback. - Configure pnpm direct-access credentials keyed to the whole `libraries.cgr.dev` host (`//libraries.cgr.dev/:_auth`) instead of scoping them to the `/javascript/` path. - Fix the `username`/`_password` example: pnpm requires the `_password` value to be **base64-encoded** and rejects a raw token. The previous example used the raw token and fails. ## Why pnpm authenticates against whatever tarball URL the registry returns for each package. Packages Chainguard has not yet rebuilt are served from `https://libraries.cgr.dev/javascript-upstream/`. With credentials scoped only to `//libraries.cgr.dev/javascript/`, pnpm sends **no auth header** for the `/javascript-upstream/` path, so any install that resolves an upstream-fallback package (e.g. `react`) fails with `ERR_PNPM_FETCH_401`. A credential keyed to the host covers both `/javascript/` and `/javascript-upstream/`. The explicit two-path form is kept in the docs as an alternative. ## Testing Verified against **pnpm 11.8.0** with a fresh project/lockfile against `libraries.cgr.dev/javascript`: - Host-keyed `//libraries.cgr.dev/:_auth` → `react` (upstream-fallback) resolves and downloads. ✅ - Path-scoped `//libraries.cgr.dev/javascript/:_auth` only → `ERR_PNPM_FETCH_401` on `…/javascript-upstream/react/…tgz` ("No authorization header was set"). ❌ - `username`/`_password` with a raw token fails; base64-encoded `_password` succeeds. The **npm** section is intentionally left unchanged: npm authenticates upstream-fallback tarball fetches even with path-scoped `/javascript/` credentials, so it is already correct. ## Scope pnpm section only (2 hunks). No changes to npm, Yarn, Bun, or repository-manager sections. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 2dd5b5a commit b53c9fa

1 file changed

Lines changed: 33 additions & 7 deletions

File tree

content/chainguard/libraries/javascript/build-configuration.md

Lines changed: 33 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -390,14 +390,32 @@ URL to point to Chainguard and set auth credentials. The following command write
390390
export token=$(echo -n "${CHAINGUARD_JAVASCRIPT_IDENTITY_ID}:${CHAINGUARD_JAVASCRIPT_TOKEN}" | base64 -w 0)
391391

392392
pnpm config set registry https://libraries.cgr.dev/javascript/ --location=project
393-
pnpm config set //libraries.cgr.dev/javascript/:_auth "${token}" --location=project
394-
pnpm config set //libraries.cgr.dev/javascript-upstream/:_auth "${token}" --location=project
393+
pnpm config set //libraries.cgr.dev/:_auth "${token}" --location=project
395394
```
396395

397396
To set the registry at the user level instead of project-level, omit the `--location=project` flag.
398397

399398
The configuration should look like the following:
400399

400+
```properties
401+
registry=https://libraries.cgr.dev/javascript/
402+
//libraries.cgr.dev/:_auth=<base64-encoded-token>
403+
```
404+
405+
The registry URL always points to the `/javascript/` repository; you do not point
406+
it at `/javascript-upstream/`. The authentication entry, however, is keyed to the
407+
whole `libraries.cgr.dev` host (`//libraries.cgr.dev/`) rather than to the
408+
`/javascript/` path alone. This matters because packages that Chainguard has not
409+
yet rebuilt are served through the [upstream
410+
fallback](/chainguard/libraries/javascript/overview/#upstream-fallback-policy-and-controls)
411+
at `https://libraries.cgr.dev/javascript-upstream/`, and pnpm authenticates against
412+
whatever tarball URL the registry returns for each package. A credential keyed to
413+
the host covers both the `/javascript/` and `/javascript-upstream/` paths.
414+
415+
If you prefer to scope credentials per path, you must configure **both** paths.
416+
Otherwise, installs that resolve upstream-fallback packages fail with an HTTP 401
417+
error:
418+
401419
```properties
402420
registry=https://libraries.cgr.dev/javascript/
403421
//libraries.cgr.dev/javascript/:_auth=<base64-encoded-token>
@@ -528,15 +546,23 @@ directory:
528546
export token=$(echo -n "${CHAINGUARD_JAVASCRIPT_IDENTITY_ID}:${CHAINGUARD_JAVASCRIPT_TOKEN}" | base64 -w 0)
529547

530548
pnpm config set registry https://libraries.cgr.dev/javascript/ --location=project
531-
pnpm config set //libraries.cgr.dev/javascript/:_auth "${token}" --location=project
532-
pnpm config set //libraries.cgr.dev/javascript-upstream/:_auth "${token}" --location=project
549+
pnpm config set //libraries.cgr.dev/:_auth "${token}" --location=project
533550
```
534551

535-
The trailing slash in the registry URL is required. Note that the `-w 0` option for `base64` is required and supported by the GNU coreutils versions included in most operating systems. To avoid the use of `base64`, which can behave differently across operating systems, you can alternatively set `username` and `_password` instead of `auth` with a token:
552+
The trailing slash in the registry URL is required. The authentication entry is
553+
keyed to the whole `libraries.cgr.dev` host (`//libraries.cgr.dev/`) so that it
554+
also covers packages served through the [upstream
555+
fallback](/chainguard/libraries/javascript/overview/#upstream-fallback-policy-and-controls)
556+
path. Note that the `-w 0` option for `base64` is required and supported by the GNU
557+
coreutils versions included in most operating systems.
558+
559+
Alternatively, you can set `username` and `_password` instead of `_auth`. Note
560+
that the `_password` value must still be base64-encoded; pnpm does not accept a
561+
raw token here:
536562

537563
```bash
538-
pnpm config set //libraries.cgr.dev/javascript/:username "${CHAINGUARD_JAVASCRIPT_IDENTITY_ID}" --location=project
539-
pnpm config set //libraries.cgr.dev/javascript/:_password "${CHAINGUARD_JAVASCRIPT_TOKEN}" --location=project
564+
pnpm config set //libraries.cgr.dev/:username "${CHAINGUARD_JAVASCRIPT_IDENTITY_ID}" --location=project
565+
pnpm config set //libraries.cgr.dev/:_password "$(echo -n "${CHAINGUARD_JAVASCRIPT_TOKEN}" | base64 -w 0)" --location=project
540566
```
541567

542568
Add dependencies for your project into the `package.json` file to test retrieval

0 commit comments

Comments
 (0)