Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Private Registry Package URLs Overwritten During Dependency Resolution #10328

New issue
New issue
Open
Bug
Open
Private Registry Package URLs Overwritten During Dependency Resolution#10328
Bug
Labels
type: bug
@altsalt

Description

@altsalt
altsalt
opened on Dec 17, 2025

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

v10.24.0

Which area(s) of pnpm are affected? (leave empty if unsure)

Dependencies resolver

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

  1. Create a project containing a .npmrc such as:
//gitlab.example.com/api/v4/projects/scope%2Fexample-package/packages/npm/:_authToken="${NPM_TOKEN}"
@scope:registry=https://gitlab.example.com/api/v4/projects/scope%2Fexample-package/packages/npm/
location=project
  1. Add a dependency in package.json such as:
	"dependencies": {
		"@scope/example-package": "0.0.1"
	},
  1. Attempt to install dependencies with pnpm install.

Describe the Bug

When configuring a private registry via a .npmrc file, the suggestion is to use <project_id> in your URLs. However, many GitLab examples use a project name with HTML entities, which the API accepts (i.e., @scope%2Fexample-package). When using this pattern, an authorization header is sent to the registry, but when a package is requested, the URL is rewritten, thus an authorization header is not sent.

Here is an example of the output I received when using the wrong key. It clearly demonstrates the URL rewrite.

❯ pnpm i
 ERR_PNPM_FETCH_404  GET https://gitlab.example.com/api/v4/projects/scope%2Fexample-package/packages/npm/@scope%2Fexample-package: Not Found - 404

@scope/example-package is not in the npm registry, or you have no permission to fetch it.

An authorization header was used: Bearer gldt[hidden]
...
 ERR_PNPM_FETCH_404  GET https://gitlab.example.com/api/v4/projects/1/packages/npm/@scope/example-package/-/@scope/example-package-0.0.1.tgz: Not Found - 404

This error happened while installing a direct dependency of /example-project/

No authorization header was set for the request.

When I change both authentication URLs in .npmrc to the <project_id> everything works as expected.

Expected Behavior

Use the specified package registry URL when installing dependencies.

Which Node.js version are you using?

14.11.1

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

NixOS 25.11

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bug

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions