Invalid auth configuration found error when an update is found in a private npm artifacts feed

We’re also seeing this problem after switching to 1.20+. In our configuration, we’re using Azure Artifacts as the only registry, with upstream feeds to npmjs et.al. Our .npmrc looks like:

registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/

always-auth=true

This also means that every package in package-lock.json will have the above registry as the resolved URL. From what I can deduce by looking at the npmrc_builder.rb file in dependabot-core, this means that this registry will be classified as a global registry, see: https://github.com/dependabot/dependabot-core/blob/f9754d41004cb5a507b3cd4920fbf48551f9aced/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb#L84

This in turn leads to this part of the code https://github.com/dependabot/dependabot-core/blob/f9754d41004cb5a507b3cd4920fbf48551f9aced/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb#L165 creating the following .npmrc :

registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/
_authToken=<token>
always-auth=true

This is a problem, because since NPM v8, all auth-related values need to be scoped, see: https://docs.npmjs.com/cli/v9/configuring-npm/npmrc?v=true#auth-related-configuration

A correct .npmrc needs to look like:

registry=https://pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/
//pkgs.dev.azure.com/<org>/<project>/_packaging/<registry>/npm/registry/:_authToken=<token>
always-auth=true

My conclusion is that the problem lies in dependabot-core in that it no longer creates a compatible .npmrc for NPM > v8

I’ve created an issue there, let’s see what the response is: https://github.com/dependabot/dependabot-core/issues/7759

I finally managed to get this working for me. In my case it helped to edit the .npmrc file in the project repo: non-working .npmrc:

@removed:registry=https://node.bit.cloud
registry=https://pkgs.dev.azure.com/Org_removed/Project_removed/_packaging/project_removed/npm/registry/
always-auth=true

working .npmrc:

@removed:registry=https://node.bit.cloud
@npm-devops:registry=https://pkgs.dev.azure.com/Org_removed/Project_removed/_packaging/project_removed/npm/registry/
registry=https://pkgs.dev.azure.com/Org_removed/Project_removed/_packaging/project_removed/npm/registry/
always-auth=true

npm-devops needs to be the same as the name of your registry in dependabot.yml:

version: 2
registries:
  npm-devops:
    type: npm-registry
    url: 'pkgs.dev.azure.com/Org_removed/Project_removed/_packaging/project_removed/npm/registry/'
    token: 'PAT:${{FEEDACCESSTOKEN}}'
updates:
  - package-ecosystem: "npm" 
    directory: "/"
    registries:
      - npm-devops
    target-branch: "develop"
    schedule:
      interval: "daily"

of course you need to replace the ‘removed’ parts with your stuff Hope that this would work for you as well!

thanks @mburumaxwell for your sample files, they helped me with narrowing down what might be the issue!