tl;dr - If you have a private registry, but the package tarball artifacts are stored elsewhere, and need to send the registry auth to the tarball host, then you'll have to edit your .npmrc file to allow this.

Prior to npm version TK, the npm CLI would send the registry auth to any request for a scoped package tarball if always-auth was enabled for the scope's registry, even if the tarball host was different from the main registry host.

For security purposes, this is no longer done. Authentication information is strictly bound to a given registry, and only requests for URIs under that registry base URI will have auth sent to them. When this situation is detected, npm will print out a warning like:

npm WARN registry No auth for URI, but auth present for scoped registry.
npm WARN registry
npm WARN registry URI: http://my.private.tarball.host.com/foo/bar/baz
npm WARN registry Scoped Registry Key: //my.private.registry.host.com/registry/path/
npm WARN registry
npm WARN registry More info here: https://github.com/npm/cli/wiki/No-auth-for-URI,-but-auth-present-for-scoped-registry

Luckily, if you were relying on the previous behavior, the workaround is fairly straightforward, and this change makes you less likely to leak your npm authentication token unintentionally.

Open up the .npmrc file that contains your private registry authentication information. You can get the location of this file by running:

npm get userconfig

If you open that file in a text editor, you will see lines like this:

@my-company:registry = https://my.private.registry.host.com/registry/path/
//my.private.registry.host.com/registry/path/:_authToken = some-authentication-token

This means:

• All requests for packages starting with @my-company/ should go to the https://my.private.registry.host.com/registry/path/ registry.
• Any requests to https://my.private.registry.host.com/registry/path/... should get the specified auth token.

To fix the problem, we need to add another line in this file, so that requests to the tarball host will also get that same authentication information sent to them as well.

@my-company:registry = https://my.private.registry.host.com/registry/path/
//my.private.registry.host.com/registry/path/:_authToken = some-authentication-token
//my.private.tarball.host.com/:_authToken = some-authentication-token

Note that we strip the https: off of the URI in the configuration key, and then end it with :_authToken.

If this issue becomes a frequent source of user frustration, we will provide an easier way to say "the auth for this registry should also be sent to this other host". In the meantime, we are intentionally erring on the side of improving security and avoiding ever sending auth to a host we shouldn't.

You can tell us if you ran into this issue by posting an issue at https://github.com/npm/cli/issues If this is disrupting your workflows or blocking you from upgrading the npm CLI, then we definitely want to get it fixed for you as soon as possible!

Thank you, and our apologies for the inconvenience.