Private repo with a semver tag hangs

[midgleyc]

• I have searched for similar issues
• I am using the latest version of npm-check-updates
• I am using node >= 10.17

---

Steps to Reproduce

1. Add a private GitHub repo with a semver tag, e.g.

   "dependencies": {
       "@newredo/my-private-repo": "NewRedo/my-private-repo#semver:^1.0.0"
   }
   

2. Run ncu.

Current Behavior

Hangs forever.

Expected Behavior

Either tells you it can't access the private repo or checks it.

Comments

Removing the semver tag works fine -- it only hangs when the semver tag is present.

[raineorshine]

Thanks for reporting! It sounds like a bug, but I unfortunately could not manage to reproduce it. I created a private repository both with and without personal access and with and without #semver, and it returned promptly each time.

What happens when you do npx pacote packument @newredo/my-private-repo?

[midgleyc]

HttpErrorGeneral: 404 Not Found - GET https://registry.npmjs.org/@newredo%2fmy-private-repo - Not found

This is expected I think, because it's not on the NPM registry -- it's only on GitHub.

[raineorshine]

Yes, that's expected. npm-check-updates does the same thing (that's why without #semver works). But when #semver is used with a git url, it uses git remote instead of npm/pacote.

What do you get with npx remote-git-tags-cli https://github.com/sindresorhus/remote-git-tags?

[midgleyc]

Ah, I see what's happening: it prompts me for Username for 'https://github.com': but that's overridden by the progress bar, so my perception was that it hung. If I press Enter there I see Password for 'https://github.com': and if I hit enter again I can see the packages as usual.

I pull this package using an SSH key instead of a username and password -- that works transparently on an npm install.

npx remote-git-tags-cli https://github.com/newredo/my-private-repo prompts me for a username / password.

/usr/bin/git ls-remote -t ssh://[email protected]/NewRedo/my-private-repo.git shows me the tags.

npx remote-git-tags-cli ssh://[email protected]/NewRedo/my-private-repo.git also works.

[raineorshine]

Ah, I see what's happening: it prompts me for Username for 'https://github.com': but that's overridden by the progress bar, so my perception was that it hung. If I press Enter there I see Password for 'https://github.com': and if I hit enter again I can see the packages as usual.

Interesting, thanks! Maybe if I log an extra line at the beginning of remote-git-tags then the password prompt will be visible. Unfortunately I'm not sure how to get that prompt for myself. remote-git-tags-cli throws an error when I use my private GitHub url.

I pull this package using an SSH key instead of a username and password -- that works transparently on an npm install.

npm-check-updates loads your npm config and tries to make identical requests, but this logic doesn't carry over to remote-git-tags. Having npm-check-updates work seamlessly with SSH and/or private repos has been notoriously tricky.

[midgleyc]

Thanks for the help debugging this -- now that I know what's causing it, I can see a workaround (press enter twice). I could also use the full form: I expect git+ssh://[email protected]:NewRedo/my-private-repo#semver:^1.0.0 to work, as it states the ssh explicitly.

I don't know how npm works out whether NewRedo/my-private-repo should be git+ssh or git+https. You could create a promise for both and take the one that returns successfully first? Seems like it would lead to unnecessary calls.

[raineorshine]

npm does a fair amount of magic to try different protocols and urls. npm-check-updates really shouldn't be doing any magic, and should just reuse your existing npm config as much as possible.

I'm not sure exactly why it works with npm install but prompts for password with npm-check-updates.

[raineorshine]

Marking as unable-to-reproduce since I cannot get the password prompt, which I would need to be able to troubleshoot further.

[midgleyc]

Interesting, I get the password prompt every time.

Do you also not get a password prompt for /usr/bin/git ls-remote -t https://github.com/[your private repo]? If so, you might have a git credential helper configured, which could be saving the username / password. On Windows, this is probably the Credential Manager.

[raineorshine]

Good call. This does the trick for me:

/usr/local/bin/git -c credential.helper= ls-remote -t https://github.com/raineorshine/ncu-test-private

I should be able to make the password prompt visible, although I'm still not sure how to have it use your SSH credentials.

[raineorshine]

When I print a blank line, it does place the password prompt on a separate line, however it causes the progress bar to be rendered twice (even when there is no password prompt).

FWIW, when I get the password prompt it's not completely hidden, but is rendered immediately to the right of the progress bar. So I'm not sure why it's completely hidden for you.

[midgleyc]

FWIW, when I get the password prompt it's not completely hidden, but is rendered immediately to the right of the progress bar.

Might be a race condition? I first saw this on a repository with ~30 packages.

Testing, I see:

• 0/2
• 0/2 with prompt
• 1/2 prompt disappears

So yes, I think the prompt disappears when the progress bar updates.

although I'm still not sure how to have it use your SSH credentials.

It changes with the URL you pass to remote-git-tags. Starting with raineorshine/ncu-test-private:

• If you pass https://github.com/raineorshine/ncu-test-private it asks for a username and password
• If you pass ssh://[email protected]/raineorshine/ncu-test-private.git it uses your SSH key

It looks like npm plans to use CDN, then git+ssh, then git+https if the repo is specified as username/repository. For version 6, which I'm using, I expect them to do something similar: try ssh, if that fails try https and prompt.

[raineorshine]

FWIW, when I get the password prompt it's not completely hidden, but is rendered immediately to the right of the progress bar.

Might be a race condition? I first saw this on a repository with ~30 packages.

Testing, I see:

• 0/2
• 0/2 with prompt
• 1/2 prompt disappears

So yes, I think the prompt disappears when the progress bar updates.

Yeah, by the time git remote ls is run, the progress bar is already being rendered.

• If you pass https://github.com/raineorshine/ncu-test-private it asks for a username and password
• If you pass ssh://[email protected]/raineorshine/ncu-test-private.git it uses your SSH key

It looks like npm plans to use CDN, then git+ssh, then git+https if the repo is specified as username/repository. For version 6, which I'm using, I expect them to do something similar: try ssh, if that fails try https and prompt.

That's fair. That's a bit beyond what I'm available for, but I'm open to PRs. npm-check-updates currently does not do any magic with the url, so this was be new territory.