Can't install from private scoped registries

[KidkArolis]

Do you want to request a feature or report a bug?
This is a regression in 1.0.0.

Explanation
This regex const SCOPED_PKG_REGEXP = /(?:^|\/)(@[^\/?]+?)(?=%2f)/:
https://github.com/yarnpkg/yarn/blob/master/src/registries/npm-registry.js#L30

introduced in this commit:
cbb27f4

or this PR:
#4027

completely breaks support for private npm registries.

The request function is sometimes called with a package name (@my/pkg) and sometimes with a full URL (https://myregistry.dev/@my/pkg/download/@my/pkg-1.0.0.tgz).

The old regex /^@|\/@/ matched such URLs, but the new one/(?:^|\/)(@[^\/?]+?)(?=%2f)/ doesn't. This means that authorization token is not sent with any tgz requests.

cc due to involvement in the original PR @lukeggchapman @BYK

[KidkArolis]

Not sure how to best fix this yet, because I don't quite understand what the PR was trying to fix or why the regex was changed.

[BYK]

The thing is, per #4027 (comment), https://myregistry.dev/@my/pkg/download/@my/pkg-1.0.0.tgz is not a valid scoped package URL. It should be https://myregistry.dev/@my/pkg/download/@my%2fpkg-1.0.0.tgz instead for it to be scoped. Ths is due to how NPM defined scoped packages. They still don't allow / in package names (even as a scope separator) and expects the URL-escaped version of it.

Can you give more details about your private server to help us resolve the issue?

[BYK]

You can try and see it yourself too:
https://registry.npmjs.org/@yarnpkg/lockfile gives you a 404 and https://registry.npmjs.org/@yarnpkg%2flockfile gets you the metadata for the scoped package.

[roderik]

I'm having the same issues with private scoped packages hosted on npmjs.com. Reverting back to 0.27.5 fixes this.

Example: https://www.npmjs.com/package/@settlemint/lib-ethereum

[KidkArolis]

The private registry implementation I'm using is https://github.com/cnpm/cnpmjs.org. We've been using it with yarn ever since the scoped package support was added in yarn. It broke with 1.0.0.

But even today scoped packages in both cnpm and official npm registry have slashes in the tarball urls.

Example 1 - https://registry.npmjs.org/@std%2fesm

Example 2 - http://registry.cnpmjs.org/@alibaba.ir/babel-preset-alibaba

Example 3 - https://registry.yarnpkg.com/@npm%2fdecorate

[BYK]

@KidkArolis - thanks a lot for the clarification!

I'm just very confused about this inconsistent behavior but I'll see if I can fix this clearly.

[lukeggchapman]

Yep so this is my fault, sorry everyone.
The private repo I was testing against was running verdaccio, which returns the tarball url with the escaped package name that is stored in the yarn.lock.
"tarball": "https://verdaccio.< private >.com:443/@scope%2fforms/-/forms-0.0.1.tgz"
which is inconsistent with KidkArolis's examples above and should probably change.

It seems that the url to get the package details have the package name escaped, but in the tarball url they are not.

[RadoRado]

Confirming - private packages installation is broken on 1.0.1. Reverting to 0.27.5 seems to be the solution for now.

[davidgwking]

similar experience as @RadoRado and @roderik , reverting to 0.27.5 is a short term fix