[BUG] Installing dependency from private repository ignores username

[ashleybaldock]

What / Why

When installing a dependency from a git repository (e.g. npm install --save git+ssh://someone@github.com:npm/hosted-git-info.git) npm ignores the username (e.g. someone in this case) and defaults to git. It also 'defaults' to git if you don't specify a username, (e.g. npm install --save git+ssh://github.com:npm/hosted-git-info.git).

This also happens if you directly edit the package.json to add the dependency, the username is ignored (and set to git in package-lock.json).

When

On installing a new package dependency specified via a git URL (I tested with github and gitlab URLs, and I suspect that it is a regression/bug in the underlying hosted-git-info library - which deals with these URLs).

Where

npm cli, version 6.10.2+ (I isolated the issue to version 6.10.3 onward). Initially I found this by incorrectly forgetting the git username when specifying a package - I was using 6.14.4 on node 10, my fellow dev 6.9.0 - worked for me (with npm clearly adding the username in) and not for other dev. Adding the git username to the path fixed the issue for them and I've also replicated that result with npm 6.10.2 and earlier versions. It was during the course of replicating the issue that I spotted it ignoring the username entirely.

How

Current Behavior

npm version 6.10.3 and above:
a) ignore the username in a git URL, e.g. git+ssh://someone@github.com:npm/hosted-git-info.git, ignores someone and always uses git)
b) will accept and default to git for a URL missing the username, e.g. git+ssh://github.com:npm/hosted-git-info.git

Steps to Reproduce

npm install -g npm@6.10.3
npm init
npm install --save git+ssh://someone@github.com:npm/hosted-git-info.git

a) Works, when it probably shouldn't since the username is incorrect
b) Look at package.json, which will have the package listed with git+ssh://git@github.com:npm/hosted-git-info.git

npm install -g npm@6.10.3
npm init
npm install --save git+ssh://github.com:npm/hosted-git-info.git

a) Works, when it probably shouldn't since the username is missing
b) Look at package.json, which will have the package listed with git+ssh://git@github.com:npm/hosted-git-info.git

Edit an existing package.json.
Add “hosted-git-info": "git+ssh://someone@github.com:npm/hosted-git-info.git” to the dependencies section
npm install
Observe package-lock.json, find the entry for the package just installed, URL will be git+ssh://git@github.com:npm/hosted-git-info.git

Expected Behavior

In case 2, I actually kinda like that it defaults to git as the username, although this is completely undocumented behaviour and probably shouldn't work? In case 1 & 3, I'd expect it to preserve the username, and fail to install/connect to git.

Who

I believe this relates to changes in the hosted-git-info package introduced in version 6.10.3, most likely between version 2.7.1 (the previous version included in npm 6.4.0) and 2.8.2 (the version included in npm 6.10.3)

References

• Related to [BUG] Installing dependencies from git+ssh is broken in 6.14.0 #948 - perhaps? Seems similar
• Maybe to [BUG] Fails to install npm packages from private github repos in docker since v6.11.0 #950

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.