Instance authentication for NPM packages fail using npm ci

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

When performing a clean install (npm ci) of an npm package from the Instance endpoint, it will raise a 404 error as the package/project path is not resolved properly. You will see errors similar to the one below.

$ npm ci --cache /tmp/no-cache
npm error code E404
npm error 404 Not Found - GET https://gitlab.example.com/api/v4/projects/203/packages/npm/@root_group/minimal-reproduction/-/@root_group/minimal-reproduction-1.0.0.tgz - Project not found
npm error 404
npm error 404  'https://gitlab.example.com/api/v4/projects/203/packages/npm/@root_group/minimal-reproduction/-/@root_group/minimal-reproduction-1.0.0.tgz' is not in this registry.
npm error 404 This package name is not valid, because 
npm error 404  1. name can only contain URL-friendly characters
npm error 404
npm error 404 Note that you can also install from a
npm error 404 tarball, folder, http url, or git url.
npm error A complete log of this run can be found in: /tmp/no-cache/_logs/2024-11-11T04_31_51_073Z-debug-0.log

Steps to reproduce

Create a top level group root_group.
Under root_group, create a project test_npm_package_publish and publish a test npm it at the instance level.
Under root_group, create a project test_npm_package_install and create the following .gitlab-ci.yml. This runs two jobs, the first job will run an npm install and authenticate against the instance level. It will then attempt another npm ci (clean install) and authenticate against the instance level. The second job will run the same set of steps however will authenticate against the project level.

stages:
  - authenticate-instance
  - authenticate-project

npm-install-instance:
  stage: authenticate-instance
  image: node:lts-alpine
  script:
    # authenticate and install from instance
    - echo @zd579391_root_group:registry=https://$CI_SERVER_HOST/api/v4/packages/npm/ >> .npmrc
    - echo //$CI_SERVER_HOST/api/v4/packages/npm/:_authToken=${NPM_TOKEN} >> .npmrc
    - npm config list
    - cat .npmrc
    - npm install --omit-lockfile-registry-resolved @root_group/minimal-reproduction
    - cat package.json
    - cat package-lock.json
    - npm ci --cache /tmp/no-cache
  allow_failure: true 

npm-install-project:
  stage: authenticate-project
  image: node:lts-alpine
  script:
    # authenticate and install from project
    - echo @zd579391_root_group:registry=https://$CI_SERVER_HOST/api/v4/projects/203/packages/npm/ >> .npmrc
    - echo //$CI_SERVER_HOST/api/v4/projects/203/packages/npm/:_authToken=${NPM_TOKEN} >> .npmrc
    - npm config list
    - cat .npmrc
    - npm install --omit-lockfile-registry-resolved @zd579391_root_group/minimal-reproduction
    - cat package.json
    - cat package-lock.json
    - npm ci --cache /tmp/no-cache
  allow_failure: true

Observe that the npm ci in the first job will fail.

Example Project

https://gitlab.com/kballon-bug-report/zd579391_npm_package_install

Note: This serves as an example template to demonstrate the structure and logic of the pipeline. As of writing, this issue is not happening in GitLab.com however happens in self-managed instances.

What is the current bug behavior?

Pipeline cannot authenticate against instance level and npm ci fails.

What is the expected correct behavior?

Pipeline can authenticate against instance level and npm ci does not fail.

Relevant logs and/or screenshots

example package.json

{
    "name": "@root_group/test-package",
    "version": "1.0.0",
    "description": "reproduction of issue",
    "main": "index.js",
    "scripts": {
      "test": "echo \"Error: no test specified\" && exit 1",
      "build": "echo \"BUILD OK\""
    },
    "author": "",
    "license": "ISC"
  }

example index.js

// index.js
function greet(name) {
    return `Hello, ${name} from GitLab package!`;
}

module.exports = { greet };

example publish .gitlab-ci.yml

default:
  image: node:latest

stages:
  - deploy

publish-npm:
  stage: deploy
  script:
    - echo "@root_group:registry=https://${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/" > .npmrc
    - echo "//${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}" >> .npmrc
    - npm publish

Output of checks

GitLab 17.4.2
GitLab 17.5.1

Results of GitLab environment info

Expand for output related to GitLab environment info


GitLab information
Version:        17.4.2-ee
Revision:       e85e7bae1a9
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     14.11
URL:            https://omnibus-instance.eda60ed1.gcp.gitlabsandbox.net
HTTP Clone URL: https://omnibus-instance.eda60ed1.gcp.gitlabsandbox.net/some-group/some-project.git
SSH Clone URL:  git@omnibus-instance.eda60ed1.gcp.gitlabsandbox.net:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers: saml, saml, group_saml

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Edited Aug 21, 2025 by 🤖 GitLab Bot 🤖